LiteLLM Drops Delve After Supply Chain Attack Exposes Fraudulent SOC 2 Audits

LiteLLM has terminated its compliance relationship with Delve following a severe supply chain attack and allegations of audit fraud. The decision comes after malicious code infected the AI gateway’s PyPI packages, exposing the failure of Delve’s SOC 2 certification process. For engineering teams relying on LiteLLM to route requests across multiple LLM providers, the incident highlights a critical vulnerability in the compliance supply chain.

PyPI Supply Chain Attack

The underlying breach occurred on March 24, when threat actor TeamPCP injected malicious payloads into LiteLLM versions 1.82.7 and 1.82.8 on the Python Package Index. The malware was designed to harvest environment variables, SSH keys, cloud credentials, and Kubernetes tokens from host machines.

With LiteLLM processing approximately 3.4 million downloads per day, the compromised packages posed an immediate risk to production environments. The malicious versions remained live for up to two hours before PyPI quarantined them.

Security researcher Callum McMahon discovered the infection when his machine crashed from an accidental fork bomb within the malware. The poor construction of the payload led AI researcher Andrej Karpathy to characterize the attack as vibe coded. The root cause was traced to a compromised Aqua Security Trivy installation in LiteLLM’s CI/CD pipeline, which exposed the project’s PyPI publishing tokens.

Delve Compliance Fraud Allegations

The technical breach exposed a massive gap in LiteLLM’s security posture, directly contradicting the SOC 2 Type 2 and ISO 27001 certifications displayed on its website. Both certifications were issued by Delve.

On March 19, a whistleblower known as DeepDelver published evidence alleging that Delve falsified compliance audits for nearly 500 clients. A leaked spreadsheet revealed that Delve generated 99.8% identical auditor conclusions across 494 reports. The documentation included keyboard-mashed test values like “sdf” as evidence of rigorous security checks.

A legitimate SOC 2 audit requires verifying secure credential storage. Investigators found that LiteLLM had been storing PyPI tokens as plaintext environment variables. The certification process entirely missed this standard vulnerability.

Mitigation and Recertification

LiteLLM released version 1.83.0 on March 30, migrating the project to a new isolated CI/CD pipeline. This updated architecture implements strict security gates to prevent token leakage during automated builds.

The company has hired Mandiant to conduct a comprehensive forensic investigation of the breach. To rebuild trust in its security controls, LiteLLM is pursuing immediate recertification through Vanta.

If you route traffic through LiteLLM, you must audit your deployment pipelines to ensure versions 1.82.7 and 1.82.8 were not pulled into your environments. Any infrastructure running those specific versions between March 24 and the PyPI quarantine requires immediate credential rotation for all exposed cloud providers, Kubernetes clusters, and SSH keys. Engineering teams relying on third-party compliance badges to evaluate open-source dependencies should independently verify the vendor conducting the audits.