SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada
Flux result 86c5d3ff 8544 4b88 ac41 93781b8158bc
#
Virtualisation
#
Cloud Security
#
Application Security

AppOmni adds Heisenberg mode after LiteLLM supply attack

Thu, 26th Mar 2026
Author image
By Sean Mitchell, Publisher

AppOmni has added an actions mode to its open-source Heisenberg tool following a supply chain attack on the LiteLLM Python library that spread through widely used AI development frameworks.

The change comes after malicious LiteLLM versions 1.82.7 and 1.82.8 were pulled into projects including Microsoft GraphRAG, Google ADK and Checkmarx. LiteLLM is widely used to connect applications to more than 100 AI services and has recorded tens of millions of downloads. Security researchers said the tampered packages were designed to steal credentials and install a backdoor on affected systems.

Because LiteLLM often sits inside other tools as a dependency, some organisations may not realise it is present in their software stack. That increases the risk that compromised versions remain in build environments or production systems.

Actions mode

The new Heisenberg mode is intended to help development teams identify which GitHub Actions they use, trace wrapper actions to the underlying components, and check where affected packages appear during an incident.

The update is aimed at improving visibility inside CI/CD workflows, where third-party actions and dependencies are often pulled automatically into build pipelines.

Attack chain

The LiteLLM compromise appears to be linked to an earlier breach involving Trivy, an open-source security scanner commonly used in CI/CD pipelines. Reports said attackers abused compromised CI/CD infrastructure and mutable release references, then used stolen credentials to interfere with LiteLLM's package publishing chain.

Security specialists have described the incident as a software supply chain attack rather than a flaw in an AI model or application. The target was the development and release process, which allowed malicious code to move through trusted dependencies into multiple downstream projects.

"LiteLLM is a widely used open-source Python library in AI software projects, which makes this incident particularly serious," said Cory Michal, Chief Information Security Officer, AppOmni.

"The malicious LiteLLM release compromised thousands of developers through a credential harvester, a stealer, and a persistent backdoor designed to maintain access and move laterally," said Michal.

"This does not appear to be an isolated LiteLLM breach but downstream fallout from the earlier Trivy compromise, where abuse of a trusted vulnerability scanner in CI/CD pipelines enabled credential theft that was then allegedly used to poison LiteLLM's PyPI release chain," said Michal.

"That turns one upstream supply chain failure into a cascading compromise affecting multiple projects and environments," said Michal.

Supply chain risk

Security teams have warned that modern development pipelines rely heavily on implicit trust in third-party packages, actions and release artefacts. When an upstream component is compromised, that trust can allow malicious code to spread quickly across build systems.

"This incident ranks among the more serious recent cases involving AI tools because it was not model abuse or prompt injection but a software supply chain compromise that led to malicious package publication, credential theft and persistence on affected hosts," said Michal.

"The risk extends beyond a single application into the development and release pipeline itself," said Michal.

"The apparent link between the LiteLLM compromise and the earlier Trivy breach shows how attackers can use one trusted CI/CD compromise to poison another widely used dependency," said Michal.

"That kind of cascading, transitive risk is exactly what security teams worry about most," said Michal.

Response steps

The malicious packages were reported to install credential-stealing code, Kubernetes lateral-movement tooling and persistent backdoors. That means affected organisations may face host or cluster compromise rather than a simple dependency issue.

"Organisations should identify and remove those versions wherever they are installed, isolate affected hosts, inspect Kubernetes clusters for rogue privileged pods, review network logs for traffic to command-and-control domains, remove persistence mechanisms, and rotate any credentials, tokens, keys or secrets present on those systems," said Michal.

"Teams should also audit whether those environments were exposed through the earlier Trivy breach, since current reporting indicates the LiteLLM compromise was downstream fallout from that initial CI/CD trust failure," said Michal.

Related stories
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching
IWF & Cyacomb launch workplace abuse material scans
Cork Cyber adds automated mapping to Vantage platform

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding