This project includes a lightweight supply-chain guard to catch known malicious dependency indicators before they spread.

From repo root:

python scripts/security_dependency_guard.py

Expected safe output:

OK: No supply-chain IOC or denylisted dependency found.

If the script exits with an alert:

1. Remove the compromised dependency/version immediately.
2. Assume exposed secrets are compromised and rotate credentials.
3. Rebuild local virtual environments and reinstall from trusted indexes.
4. Open a security incident ticket with findings and remediation steps.

• Python: litellm==1.82.8 (known compromised release)

Reference:

• LiteLLM security issue #24512

• Use isolated Python virtual environments (.venv) per project.
• Prefer pinned versions and review lockfile diffs in PRs.
• Avoid running pip as root.
• Run the guard script in CI and before release tags.