semantic-router

PyPI Compromised

1

report

Attack type: Build pipeline

Reports

Build pipeline Versions: >= 0.1.8, < 0.1.15 17d ago by isitcompromised.com

semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin ## Impact semantic-router versions 0.1.8 through 0.1.14 declare `litellm>=1.61.3` with no upper bound. During the window in which `litellm==1.82.8` was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel. The malicious `litellm==1.82.8` wheel ships a `litellm_init.pth` file that executes on Python interpreter startup — no import required. It collects and exfiltrates: - Process environment variables - AWS / GCP / Azure crede

View evidence

Have more info?

Submit additional evidence or a new report for this package.

Submit a report