LiteLLM Supply Chain Compromise
Summary
On March 24, 2026 — coincident with the launch of Google ADK Go 1.0 (March 31, 2026) — a compromised version of the LiteLLM library was detected in the ADK’s dependency tree. The incident is significant primarily because it confirms that hyperscaler-built AI toolchains are not immune to the supply-chain risks active across the broader Q1 2026 incident set.
Attack Vector
LiteLLM is widely used as a model-router shim in agentic stacks. A compromised release in its dependency chain means downstream consumers (including Google’s own ADK) inherited the vulnerability simply by pinning to current versions.
Defensive Lessons
- AI-BOM (AI Bill of Materials) adoption is lagging. The AI Security Standards Q1 2026 paper notes ML-BOM adoption lags 48% behind SBOM requirements. This incident is a concrete cost of that gap.
- Reproducible builds and version pinning would have constrained but not prevented this — pinning to the wrong version is still wrong.
- The pairing of ClawHavoc (skill marketplace) + SANDWORM_MODE (npm registry) + this LiteLLM compromise (transitive dependency) describes three distinct supply-chain attack surfaces in the agentic AI stack within a single quarter. Treat them as a class, not three isolated events.
Sources
- See frontmatter.