我的 LiteLLM 恶意软件攻击逐分钟应对记录

我的 LiteLLM 恶意软件攻击逐分钟应对记录
My minute-by-minute response to the LiteLLM malware attack

原始链接: https://futuresearch.ai/blog/litellm-attack-transcript/

## Claude Code 关机分析总结最近一次涉及大量 Python 进程（超过 11k）的系统关机，源于正常的 Claude Code (v2.1.81) 操作，而非恶意攻击。关机时正在运行五个 Claude Code 实例。问题似乎是由一个失控的进程生成循环引起的，可能由卡住的 Claude Code 工具/代理交互或 `uv` 运行脚本中的错误触发。这些生成的进程使用了 `python -c` 并带有 base64 编码的代码——这是 Claude Code 安全执行代码的标准做法——并在关机期间变为孤立进程。重要的是，没有发现任何持久化机制或恶意代码。所有进程都来自合法来源（Claude Code、`uv`、`zsh`），并使用了本地 Python 安装。 **建议：** 调查关机前是否激活了循环代理。如果问题再次发生，尝试在强制关机前执行 `killall python3.13`，并考虑实施进程限制 (`ulimit -u 2048`) 以防止类似事件发生。

这次黑客新闻的讨论围绕着最近的“LiteLLM”恶意软件攻击，以及开发者Callum Fibonar的发现过程。Fibonar分享了他调查的逐分逐秒记录，并得到了Claude（一个AI助手）的显著帮助，引导他完成报告程序和关键步骤。对话强调了人工智能能够赋能非安全专家有效地识别和报告漏洞的潜力。许多评论者同意这是一个积极的发展，强调了广泛漏洞报告的重要性，而不是设置门槛。讨论还涉及改进软件包注册表的安全性——特别是需要实时事件“火龙卷风”，允许自动化扫描程序检测恶意更新（PyPI被认为是积极的例子）。Fibonar在他的项目中实施了依赖项冷却期作为预防措施。最后，有人提倡编写原生软件，以完全避免供应链攻击。

原文

Now I have the full picture. Here's my analysis:

What 2.1.81 is: Claude Code v2.1.81. You had 5 Claude Code instances running at shutdown time.

Shutdown timeline:

01:36:33 — Force shutdown initiated
01:36:36 — Shutdown stall captured (162 processes still running, 21 of them Python)
01:37:11 — System booted

Process tree at shutdown:

Normal Claude Code MCP servers (2 instances):

Claude Code [82193] → python3.13 [88842] → node [88854] (416MB)
Claude Code [35621] → python3.13 [45088] → node [45091] (228MB)

These are MCP server bridges — Python wraps a Node.js MCP server. Normal behavior.

A uv run chain:

zsh → uv [74172] (deadlocked) → python3.13 [74174] (running a .py file)
→ python3.13 [74180] (python -c "...", reading pipe)
→ python3.13 [86263] (running .py file, sleeping + os.stat)
→ python3.13 [86264] (python -c "...", reading pipe)

14 orphaned python -c processes (two batches of 7):

PIDs 89759-89765 (~38 hours old)
PIDs 67956-67962 (different age)
All running _PyRun_SimpleStringFlagsWithName — this is python -c "exec(base64.b64decode(...))"
All orphaned (parent died, reparented to launchd)
All stuck reading from a dead pipe

What likely happened:

The exec(base64.b64decode('...')) pattern is not malware — it's how Python tooling (including Claude Code's Bash tool) passes code snippets to python -c while avoiding shell escaping issues. The base64 encoding is just a safe transport mechanism.

The 11k process storm was likely a runaway spawning loop from one of these sources:

A Claude Code tool/agent interaction that got stuck in a loop spawning python -c processes
A uv run script (the 74174 chain) that had a subprocess spawning bug

Good news:

No persistence mechanisms found — no suspicious crontabs, launch agents, or launchd jobs
No suspicious Python processes running now — clean after reboot
All processes used your local uv Python — nothing from unknown paths
No malicious indicators — all parents trace back to Claude Code, uv, or zsh

Recommendations:

Check if you had a Claude Code agent running in a loop before the incident
If it happens again, try killall python3.13 before force-shutting down
Consider setting a process limit: ulimit -u 2048 in your .zshrc to prevent fork bombs

我的 LiteLLM 恶意软件攻击逐分钟应对记录 My minute-by-minute response to the LiteLLM malware attack

我的 LiteLLM 恶意软件攻击逐分钟应对记录
My minute-by-minute response to the LiteLLM malware attack