Connect with us

CyberSecurity

LiteLLM Malware Incident Raises Questions About AI Security Compliance

Published

on

A Breakout AI Project Gets a Nasty Surprise

Imagine downloading a trusted, widely-used tool only to have your computer suddenly shut down. That’s exactly what happened to research scientist Callum McMahon. His investigation into the crash led to a disturbing discovery: the popular open-source project LiteLLM was infected with malware.

LiteLLM is a developer darling. It simplifies access to hundreds of AI models and helps manage costs. Its success is staggering, with estimates of 3.4 million daily downloads and tens of thousands of GitHub stars. This widespread adoption made the security breach particularly alarming.

The malware was a classic case of a supply chain attack. It didn’t target LiteLLM’s core code directly. Instead, it slipped in through a ‘dependency’—another piece of open-source software that LiteLLM uses. Once inside, its mission was simple: steal every login credential it could find.

The Ironic Flaw That Exposed the Threat

Security incidents are rarely funny, but this one had a bizarre twist. The malware that caused McMahon’s machine to crash was itself buggy. Its sloppy design was its own undoing, prompting McMahon and other experts like Andrej Karpathy to label it as ‘vibe coded’—a term for rushed, poorly constructed software.

That flaw may have been a small blessing. The LiteLLM team reacted swiftly, working around the clock to contain the issue. The attack was caught within hours, limiting potential damage. The focus now is on a forensic review with cybersecurity firm Mandiant to understand the full scope.

Yet, while the technical cleanup is underway, a separate controversy has ignited online. It centers on a badge displayed proudly on the LiteLLM website.

Security Certifications Under a Microscope

Visit the LiteLLM site, and you’ll see it boasts two major security compliance certifications: SOC2 and ISO 27001. These are not minor accolades. They signal to enterprise customers that a company has robust security policies and controls in place.

Here’s the catch. LiteLLM obtained these certifications through a startup named Delve. Delve, a Y Combinator-backed company, uses AI to streamline the compliance process. It has also faced serious allegations.

Multiple reports accuse Delve of misleading customers about their true compliance status. The allegations suggest the company generated fake data and used auditors who provided rubber-stamp approvals. Delve has publicly denied these claims.

The juxtaposition is hard to ignore. A project certified for strong security practices becomes the victim of a significant malware attack. Engineer Gergely Orosz captured the online sentiment perfectly on X: ‘Oh damn, I thought this WAS a joke. … but no, LiteLLM *really* was ‘Secured by Delve.’’

What Do Compliance Badges Actually Guarantee?

This incident forces a crucial question. What do security certifications actually protect against? It’s a point of nuance that’s easy to miss in the rush to judgment.

Certifications like SOC2 and ISO 27001 audit a company’s internal policies and procedures. They verify that a framework exists to manage risk. For example, a SOC2 report should cover how a company vets and monitors its software dependencies.

They are not, however, a magical shield. They don’t automatically prevent a determined attacker from exploiting a vulnerability in a third-party library. A company can have impeccable policies on paper and still fall victim to a novel attack vector.

The LiteLLM team is currently in crisis mode. CEO Krrish Dholakia declined to comment on the company’s relationship with Delve, stating the immediate priority is the ongoing investigation. The promise is to share technical lessons with the community once the forensics are complete.

This story is more than a tech support ticket. It’s a real-world stress test for the burgeoning AI infrastructure ecosystem. It highlights the tension between the need for speed in a competitive market and the non-negotiable requirement for rigorous, trustworthy security. For developers and companies relying on open-source AI tools, the message is clear: look beyond the badge. Understand what it represents, and more importantly, what it does not.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Veil#Drop Attacks Weaponize Blogspot and Compromised Sites to Deploy PureLog Stealer

Published

on

Veil#Drop attacks

Trusted Google Infrastructure Abused in Multi-Stage Campaign

Security researchers have uncovered a sophisticated malware delivery operation that weaponizes Blogspot, Google’s long-standing blogging platform, to distribute information-stealing payloads. Dubbed Veil#Drop attacks, the campaign uses compromised websites and social engineering lures to infect victims with PureLog Stealer, a .NET-based credential thief.

Analysts at Securonix detailed the framework in a new report, describing a multi-stage chain that blends JavaScript, PowerShell, and fileless execution techniques. The goal: slip past traditional antivirus and leave minimal forensic traces.

How the Infection Chain Unfolds

The attack starts with a JavaScript file that masquerades as a legitimate document. When a victim opens it, the script launches PowerShell code, bypassing execution policies that would normally block such activity.

That PowerShell acts as a download cradle. It reaches out to attacker-controlled Blogspot pages to pull down the next stage. Because Blogspot sits on Google’s trusted infrastructure, the traffic often blends in with normal web activity.

Once retrieved, the Blogspot-hosted payload does three things: it displays a decoy document to keep the victim occupied, terminates certain running processes, and decrypts embedded content. The decoded code then generates additional Blogspot URLs and executes further payloads directly in memory — nothing touches the hard drive.

Fileless Execution and XOR Obfuscation

A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs. According to Securonix, these are “reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms.”

The chain also includes fallback mechanisms and abuses LOLBINs — legitimate Microsoft-signed binaries — for code execution and defense evasion. This layered approach makes it harder for endpoint protection to spot the malicious activity.

PureLog Stealer: What It Takes

By the end of the infection, the victim’s machine runs PureLog Stealer. This .NET-based malware performs system reconnaissance and then starts harvesting data from browsers including Google Chrome, Microsoft Edge, Firefox, Brave, Opera, and any Chromium-based browser.

Its targets are broad: credentials, cookies, autofill data, session tokens, browsing histories, and cryptocurrency wallet information. Beyond browsers, PureLog Stealer can also pillage messaging apps, email clients, remote access tools, FTP clients, cloud storage software, developer utilities, and password managers.

All stolen data is packaged and sent to attacker-controlled servers in encrypted form.

Enterprise Risk: More Than Just Stolen Passwords

The danger goes beyond a single compromised workstation. PureLog Stealer’s reach means a single infection can yield credentials, tokens, and keys that unlock larger parts of an organization’s network.

“In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns,” Securonix warns. “Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities.”

This makes Veil#Drop attacks a concern for security teams already stretched thin. The combination of trusted platforms, fileless execution, and multi-stage payloads demands detection strategies that go beyond signature matching.

Defending Against Blogspot-Based Malware Delivery

Organizations can reduce exposure by restricting PowerShell execution policies where possible and monitoring for anomalous outbound connections to cloud platforms like Blogspot. Behavioral detection tools that spot in-memory execution patterns offer another layer of defense.

User education also matters. The initial JavaScript lure relies on someone opening an attachment they weren’t expecting. A healthy dose of skepticism — and a clear policy on unsolicited documents — can stop the chain before it starts.

For more on related threats, see our coverage of the CryptoBandits malware doubling as a backdoor and the Rokarolla banking Trojan targeting 200 applications.

Continue Reading

CyberSecurity

‘BusySnake’ Infostealer Slithers into Critical Infrastructure Networks

Published

on

BusySnake infostealer

New Malware Campaign Targets Power Grids and Government Networks

A previously undocumented infostealer malware, tracked as BusySnake, has been found infiltrating government agencies and electrical power companies in Russia, Brazil, and Kazakhstan. Security researchers at Kaspersky attribute the campaign to a threat actor they call Armored Likho.

The discovery marks a worrying expansion of cyber-espionage into operational technology environments. While the malware itself is not designed to disrupt power grids directly, its ability to siphon credentials, system data, and internal communications gives attackers a dangerous foothold.

Think about it: once you have an attacker inside a utility’s IT network, the jump to industrial control systems becomes far easier. That’s the real nightmare scenario.

What Is BusySnake? A Low-and-Slow Data Thief

BusySnake is not a fast-moving worm. It’s the opposite — a stealthy, modular infostealer that operates in stages. The malware arrives via spear-phishing emails, often disguised as official correspondence from government or energy-sector partners.

Once executed, it performs several key actions:

  • Credential harvesting — steals login data from browsers, email clients, and VPN software
  • Screen capture — takes periodic screenshots of the victim’s desktop
  • Keylogging — records keystrokes to capture passwords and sensitive conversations
  • File exfiltration — uploads documents matching specific extensions (.doc, .xls, .pdf) to a command-and-control server

The malware communicates over HTTPS to blend in with normal traffic, making detection harder for traditional network monitoring tools.

Armored Likho: Who’s Behind the Attacks?

Kaspersky’s researchers have been tracking Armored Likho since mid-2024. The group shows a clear preference for targeting critical infrastructure — primarily electricity generation and distribution entities, along with central government bodies.

Geographically, the campaign has hit three countries hardest:

  • Russia — multiple regional energy companies and federal agencies
  • Brazil — at least two major electrical utilities and a state-level government network
  • Kazakhstan — a national power grid operator and a ministry

Why these three? The geographic spread suggests the attackers are not driven by simple regional conflict. Instead, they appear interested in energy-sector intelligence across different continents. This could point to state-sponsored espionage or a sophisticated cybercrime group selling access to the highest bidder.

How BusySnake Evades Detection

The malware uses several tricks to stay under the radar. First, it checks for sandbox environments and debuggers before executing its payload — a common anti-analysis technique. If it detects a virtual machine or security tool, it simply shuts down.

Second, BusySnake encrypts its configuration files and uses steganography to hide stolen data inside innocent-looking image files before exfiltration. Security teams scanning for unusual file transfers might miss these pictures entirely.

Third, the malware employs a modular structure. The initial dropper is small and lightweight. Only after confirming a successful infection does it download additional components from the C2 server. This makes signature-based detection nearly useless.

Implications for Critical Infrastructure Security

For organizations running power plants, electrical grids, or government networks, the BusySnake campaign is a wake-up call. The attackers are not just after credit card numbers — they want operational blueprints, SCADA credentials, and internal communications.

Once an attacker has that level of access, they can map out the entire network. From there, it’s a short step to sabotaging industrial control systems or launching ransomware that could black out a city.

Security teams should take immediate action:

  • Segment IT and OT networks — ensure that compromised office computers cannot directly communicate with industrial systems
  • Deploy behavioral detection — look for unusual data transfers, not just known malware signatures
  • Train staff on spear-phishing — many BusySnake infections start with a single employee clicking a malicious attachment
  • Monitor for BusySnake indicators — Kaspersky has published IOCs including C2 domains, file hashes, and registry keys

What Comes Next?

The Armored Likho group shows no signs of slowing down. Kaspersky expects them to expand into other regions and sectors, possibly targeting oil and gas or water treatment facilities next.

For now, the best defense is awareness. Critical infrastructure security teams need to assume they are already being probed. The question is not if an infostealer like BusySnake will arrive at their network perimeter — it’s whether they’ll catch it before the data walks out the door.

Organizations that have not yet reviewed their cybersecurity best practices for power grids should do so immediately. And for anyone still relying on antivirus alone to stop modern infostealers — it’s time to rethink that strategy.

Continue Reading

CyberSecurity

A 16-Year-Old Bug in Linux KVM Lets Guest VMs Break Out and Attack the Host

Published

on

KVM VM escape

A Bug That Almost Drove a Generation

A 16-year-old vulnerability in Linux’s KVM hypervisor can be triggered from inside a guest virtual machine to corrupt the host kernel’s memory. The result? A full VM escape — the kind of security nightmare that keeps cloud providers up at night.

Tracked as CVE-2026-53359 and nicknamed ‘Januscape’ by its discoverer, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD x86 processors. The researcher released a public proof-of-concept that panics the host. A separate, unreleased exploit, they claim, can achieve full code execution from the guest.

That’s a 16-year-old bug. It affects every Linux kernel version since the shadow MMU was introduced — which is most of KVM’s lifespan. The vulnerability was introduced in 2008 and only patched in late 2025.

What Exactly Is the Januscape Bug?

The flaw is a use-after-free in KVM’s handling of shadow page tables. Shadow paging is a memory virtualization technique KVM uses when hardware-assisted nested paging (like Intel EPT or AMD NPT) isn’t available or is disabled. The hypervisor maintains shadow page tables that mirror the guest’s physical-to-machine memory mappings.

In the vulnerable code path, a guest can trigger a specific sequence of operations — including a TLB flush and a page fault — that causes KVM to free a shadow page entry while it’s still being referenced. The freed memory can then be reallocated for other purposes. A malicious guest can control that reallocation.

The researcher describes it as a “race between the guest and the host” — the guest forces a specific timing window where the shadow page state becomes inconsistent. Once the host kernel touches the dangling pointer, it’s game over.

Why It Took 16 Years to Find

Shadow paging is complex. The code paths for page table walks, TLB flushes, and fault handling interact in subtle ways. The bug itself is a classic use-after-free, but the trigger conditions are rare enough that it survived years of code reviews and fuzzing campaigns.

It’s also worth nothing that most modern KVM deployments use hardware-assisted virtualization (EPT/NPT), which bypasses shadow paging entirely. That means cloud providers running recent hardware are not directly exposed. But any Linux system running KVM with shadow paging enabled — including many older servers, embedded systems, and test environments — is vulnerable.

Impact: Who Should Worry?

The short answer: anyone running KVM on Intel or AMD x86 systems without hardware nested paging. That includes:

  • Older server hardware (pre-2010 Intel Nehalem/Westmere or AMD Bulldozer era) that lacks EPT/NPT support.
  • Systems where nested virtualization is used, and the L1 hypervisor falls back to shadow paging.
  • Test labs, CI runners, and development environments that disable hardware virtualization features for debugging.
  • Embedded Linux systems running KVM on older x86 CPUs.

For cloud providers running modern hardware with EPT/NPT, the risk is minimal. But the bug is a reminder that KVM security depends on more than just the hypervisor code — the hardware capabilities matter just as much.

Patch and Mitigation

Linux kernel maintainers released a fix in late 2025. The patch is relatively small — it adds a missing reference count increment in the shadow page table code path. Systems running kernel versions 5.x and 6.x should update to the latest stable release.

If patching immediately isn’t possible, there are workarounds:

  • Enable hardware nested paging — ensure Intel EPT or AMD NPT is enabled in the BIOS and that the kernel boots with kvm-intel.ept=1 or kvm-amd.npt=1.
  • Disable shadow paging — if you must run without EPT/NPT, consider using a different hypervisor or limiting guest access to trusted workloads only.
  • Restrict guest capabilities — the bug requires specific hypercalls and page table manipulations. Limiting guest kernel access can reduce the attack surface.

A Wake-Up Call for Legacy Code

The Januscape bug is not a theoretical curiosity. It’s a practical, exploitable vulnerability that sat hidden for 16 years. That it affects both Intel and AMD systems equally makes it a broad threat.

The researcher’s decision to release a host-panicking PoC while keeping the full exploit private is a reasonable compromise — it proves the bug is real without handing out a weapon. But the existence of a working exploit means attackers with enough resources could reverse-engineer it.

For organizations still running older kernels or hardware without EPT/NPT, this is the moment to patch. The bug may be old, but the threat is current. And as cloud computing continues to rely on Linux virtualization at scale, even legacy code paths deserve scrutiny.

Because sometimes, a 16-year-old bug is the one that gets you.

Continue Reading

Trending