semantic-router, Supply Chain Credential Exfiltration via Unbounded Transitive Dependency, CVE-2026-42208 (Critical) -DC-Jun2026-698

By /

Listen to this Post

How CVE-2026-42208 Works

CVE-2026-42208 is a critical supply chain vulnerability that affects the semantic-router Python package. The issue stems from an unbounded dependency declaration in semantic-router versions 0.1.8 through 0.1.14, which specify `litellm>=1.61.3` with no upper version constraint.
In March 2026, the LiteLLM PyPI package was hit by a supply chain attack. An attacker compromised the maintainer’s publishing credentials and pushed two malicious versions—1.82.7 and 1.82.8—to PyPI. These versions were never released through the official GitHub repository. The malicious `litellm==1.82.8` wheel ships a `litellm_init.pth` file that executes automatically on Python interpreter startup—no import statement is required. Upon execution, it performs the following:
1. Collection: Harvests process environment variables, AWS/GCP/Azure credentials, SSH keys, Kubernetes configurations, shell history, database credentials, CI/CD secrets, and cryptocurrency wallets.
2. Encryption: Encrypts the collected data using AES-256 with an embedded RSA public key.
3. Exfiltration: POSTs the encrypted payload to https://models.litellm.cloud/`.
Because semantic-router's dependency pin is unbounded (litellm>=1.61.3), `pip install` of any affected semantic-router version during the window when `litellm==1.82.8` was the latest release on PyPI would automatically resolve to the compromised wheel. The vulnerability is particularly dangerous because it executes without any application code import—merely having the package installed in a Python environment triggers the payload on interpreter startup.
The vulnerability was patched in semantic-router 0.1.15, which raises the minimum required version tolitellm>=1.83.7. LiteLLM itself fixed the supply chain issue in version 1.83.7-stable.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Python PyPI
Version: semantic-router 0.1.8–0.1.14
Vulnerability: Supply chain credential exfiltration
Severity: Critical
date: 2026-03-24 (malicious published)
<h2 style="color: blue;">Prediction: Patch available 2026-04-19</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics</h2>
The attack vector exploits Python's `.pth` file auto-execution mechanism, which runs during interpreter startup regardless of application imports. This design pattern—originally intended for namespace package initialization—becomes a potent persistence and execution mechanism when abused.
<h2 style="color: blue;">The malicious `litellm_init.pth` file performs a multi-stage attack:</h2>
- Stage 1: Credential harvesting across 7+ categories (cloud keys, SSH, K8s, DB, CI/CD, wallet)
- Stage 2: AES-256 encryption with embedded RSA pubkey
- Stage 3: C2 exfiltration to `models.litellm.cloud`
The unbounded dependency pin (litellm>=1.61.3) created a transitive trust failure. Pip's resolver always picks the latest matching version, meaning anyone who installed semantic-router 0.1.8–0.1.14 during the 1.82.8 window was affected.
<h2 style="color: blue;">Bash Commands & Codes</h2>

Check if you're running an affected semantic-router version
pip show semantic-router | grep Version
Check which litellm version was resolved
pip show litellm | grep Version
Audit for the malicious .pth file
find /path/to/your/site-packages -name "litellm_init.pth" 2>/dev/null
List all installed packages and their versions
pip list --format=freeze | grep -E "semantic-router|litellm"
Check if the malicious C2 domain is reachable (defensive)
curl -I https://models.litellm.cloud/ 2>/dev/null | head -n 1
Check Python environment for startup imports (verbose)
python -v -c "import sys; print(sys.path)" 2>&1 | grep -i pth
Force upgrade to safe versions
pip install --upgrade "semantic-router>=0.1.15" "litellm>=1.83.7,!=1.82.8"
Pin explicitly in requirements.txt
echo "litellm>=1.83.7,!=1.82.8" >> requirements.txt
echo "semantic-router>=0.1.15" >> requirements.txt
Rotate all exposed credentials (example for AWS)
aws sts get-caller-identity verify current session
aws iam list-access-keys list existing keys
aws iam create-access-key create new key
aws iam delete-access-key --access-key-id OLD_KEY_ID revoke old

<h2 style="color: blue;">Exploit:</h2>
The exploit requires no authentication and no user interaction. Attack vectors include:
1. Supply Chain Installation: Any `pip install semantic-router` during the window when `litellm==1.82.8` was the latest PyPI release automatically pulled the malicious wheel.
2. Execution Trigger: The `.pth` file executes on any Python interpreter startup in the environment where the package is installed—no import required.
3. Data Exfiltration: Harvested credentials are AES-256 encrypted with an embedded RSA public key and POSTed to the attacker-controlled C2 server.
4. Scope: The attack chain compromised PyPI, npm, Docker Hub, and GitHub Actions simultaneously. The threat actor cluster, designated "TeamPCP," orchestrated the attack through a compromised CI/CD security scanner.
<h2 style="color: blue;">Protection:</h2>
<h2 style="color: blue;">Immediate Actions:</h2>
1. Upgrade immediately to semantic-router 0.1.15 or later, which raises the floor tolitellm>=1.83.7`.

2. Pin dependencies explicitly in your project:

litellm>=1.83.7,!=1.82.8
semantic-router>=0.1.15

3. Audit site-packages for `litellm_init.pth` and delete if present.
4. Rotate all credentials that were present in environments where an affected install ran—including AWS/GCP/Azure keys, SSH keys, Kubernetes configs, database credentials, CI/CD secrets, and cryptocurrency wallets.
5. Disable error logs as a temporary mitigation if upgrading is not immediately possible:

general_settings:
disable_error_logs: true

Long-term Measures:

  • Use dependency pinning with upper bounds in production
  • Implement software composition analysis (SCA) tools
  • Monitor PyPI package integrity and verify hashes
  • Use private PyPI mirrors with curated package lists

Impact:

Blast Radius:

  • Affected semantic-router versions: 0.1.8 through 0.1.14
  • Affected LiteLLM versions: 1.81.16 through 1.83.6
  • Approximately 384,177 downloads in the last month
  • LiteLLM has over 45,000 GitHub stars and ~97 million monthly downloads

Data at Risk:

  • Process environment variables
  • AWS/GCP/Azure cloud credentials
  • SSH private keys
  • Kubernetes configurations
  • Shell history files
  • Database connection strings
  • CI/CD pipeline secrets
  • Cryptocurrency wallets

Business Impact:

A single compromised `litellm_credentials` row often holds OpenAI organization keys with five-figure monthly spend caps, Anthropic console keys with workspace admin rights, and AWS Bedrock IAM credentials. Successful exploitation is operationally comparable to a full cloud account compromise.
CISA Advisory: The vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog on May 8, 2026, with a due date of May 11, 2026 for mitigation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top