LiteLLM ditches compliance startup Delve — accused of faking certifications — after a malware breach exposed credential-stealing vulnerabilities in its open-source gateway.
LiteLLM, an AI gateway used by millions of developers, suffered a credential-stealing malware attack on its open-source version last week. The company had previously obtained two security compliance certifications through Delve, a startup now accused of generating fake compliance data and using rubber-stamp auditors. Delve's founder denied the allegations but an anonymous whistleblower released alleged evidence over the weekend. LiteLLM CTO Ishaan Jaffer announced on X that the company will re-certify using Vanta and an independent third-party auditor.
If you're running LiteLLM's open-source gateway in production, you have two compounding problems: a credential-stealing malware incident from last week, and compliance certifications that may be meaningless. Any secrets or API keys routed through LiteLLM during the affected window should be treated as compromised. The re-certification with Vanta doesn't protect you retroactively — your own credential hygiene does.
Pull your LiteLLM deployment logs from the past 14 days and grep for unexpected outbound connections; rotate any API keys that passed through the gateway during the malware window using your secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.).
Open your terminal and pull recent LiteLLM container logs: `docker logs litellm_container --since 336h 2>&1 | grep -E 'POST|PUT|external|error'`
Tags
Sources
Signals by role
Also today
Tools mentioned