|| Introduction
Hi, we’re Denny (Donghee) and Elvin (Subin) from Karrot’s Python Chapter. At Karrot, we have Chapter groups where members interested in specific programming languages voluntarily come together to discuss company-wide policies and ecosystem issues for that language. There are chapters for several languages including Go and Ruby, and the Python Chapter is one of them.
This post shares the process by which the Python Chapter discussed supply chain security issues and actually applied the solution to our internal infrastructure. We hope it will be helpful to others facing similar concerns.
How It Started: The LiteLLM Supply Chain Attack
On March 24, 2026, the LiteLLM PyPI package, widely used as an LLM proxy library, suffered a supply chain attack.
Here’s how the attack unfolded:
LiteLLM was running a security scanner called Trivy in its CI/CD pipeline for security purposes.
The attacker stole the credentials for Trivy that LiteLLM was using in its CI/CD.
Using the stolen credentials, they bypassed the official CI/CD pipeline and uploaded packages containing malicious code (1.82.7, 1.82.8) directly to PyPI.
These versions contained payloads that exfiltrated environment variables, SSH keys, and cloud credentials to external servers.
The malicious packages were quarantined by PyPI relatively quickly, but a significant number of downloads occurred even during that short window. Around the same time, the telnyx package was also targeted in the same manner.
Why Cooldown?
Such supply chain attacks share a common pattern: the exposure window between when a malicious package is uploaded to PyPI and when it’s detected and quarantined is short.
According to William Woodruff’s analysis (We should all be using dependency cooldowns), eight out of ten recent major supply chain attacks had exposure windows of less than a week. A 14-day cooldown would have prevented nine of those.
The idea itself is simple: don’t install packages right after they’re uploaded to