LiteLLM, the AI gateway that says it gives developers a unified interface to more than 100 models, plus cost tracking and budget controls, said it will pursue SOC 2 Type 2 and ISO 27001 recertification with Vanta support and independent auditors.
The change followed a supply-chain incident that hit LiteLLM’s Python package distribution last week. As of March 31, PyPI Stats listed 3,477,808 LiteLLM downloads in the last day.
What the malicious packages did and how they were caught
The incident centered on two malicious PyPI releases, versions 1.82.7 and 1.82.8, that LiteLLM said were published on March 24 and later removed.
In its security update, the company said the compromised packages were designed to harvest environment variables, SSH keys, cloud credentials, Kubernetes tokens and database passwords, then exfiltrate data to a domain outside official LiteLLM infrastructure.
FutureSearch researcher Callum McMahon, whose firm said it first reported the issue to PyPI, said version 1.82.8 also carried a .pth file that executed on every Python startup and that a bug in the malware caused the crash that exposed it.
How the pipeline was compromised and what widened the damage
LiteLLM’s March 27 town-hall update tied the breach to a compromised Trivy security scanner in its CI/CD pipeline. The company said three factors widened the blast radius: a shared CircleCI environment, static release credentials stored in environment variables and an unpinned Trivy dependency.
It said the malicious packages were live for about 40 minutes before PyPI quarantined them, that it rotated affected credentials, paused new releases and brought in Google’s Mandiant for forensic work.
Aqua Security, Trivy’s maintainer, separately said a threat actor had used compromised credentials on March 19 to publish malicious Trivy releases and hijack Trivy-related tags in what it described as a broader supply-chain attack.
The compliance dispute that surfaced alongside the incident
The malware incident also unfolded amid a separate public dispute over Delve’s compliance practices.
On March 20, Delve responded to an anonymous Substack post by saying it does not conduct audits or issue “fake” SOC 2 reports, that final reports and opinions are issued solely by independent licensed auditors and that customers can bring their own auditor or use one from Delve’s network.
Four days later, Delve said it would offer complimentary re-audits, independent penetration tests and engagement letters from auditors at no cost to customers.
LiteLLM’s enterprise page said the company was SOC-2 Type 2 and ISO 27001 certified. Its data-security page separately said SOC 2 Type I, SOC 2 Type II and ISO 27001 reports were available on request on the enterprise plan.
TechCrunch reported on March 26 that Delve had handled LiteLLM’s earlier certification work.
LiteLLM’s March 30 recertification post did not name Delve, but it said it will pursue SOC 2 Type 2 and ISO 27001 recertification with Vanta and is identifying independent auditors to validate and verify its compliance posture.
What SOC 2 and ISO 27001 recertification require
AICPA says a SOC 2 examination reports on controls relevant to security, availability, processing integrity, confidentiality or privacy.
AICPA also says accountants providing audit and attestation services should be independent in fact and appearance. On the ISO side, IAF CertSearch says ISO/IEC 27001 certification requires an independent audit to confirm conformity with the standard.
AICPA guidance also addresses vendor-management breakdowns in SOC 2 engagements. In a December 2023 discussion on SOC engagements, the institute said SOC 2 common criterion CC 9.2 provides a way to report when vendor-management processing is not functioning adequately.
LiteLLM’s public explanation of the breach pointed to a compromised security-scanning dependency inside its release pipeline, while its March 30 update said the company would add independent auditors to validate the controls behind its compliance claims.
What LiteLLM has said and what remains unresolved
LiteLLM said it has paused releases, changed parts of its release process and started a new recertification effort with Vanta while identifying independent auditors.
The company said official LiteLLM Cloud and the official Docker image were not affected because those paths did not depend on the compromised PyPI releases, and it published hashes for versions it said were audited and clean.
It has not yet named the outside auditors or published a new certification date. Delve, for its part, continues to say it does not fake evidence and that independent auditors, not Delve, issue final reports and certifications.
