What happened — the LiteLLM attack (March 24, 2026)
A popular AI library was poisoned — and it ran automatically on every machine that installed it.
Attackers compromised LiteLLM (97M monthly downloads) by first hacking a security scanner used in its build process.
The poisoned package stole SSH keys, cloud credentials, and every API key in your environment —
then encrypted and sent them to an attacker-controlled server. It was only caught because a bug in the malware accidentally crashed a developer's machine.
Trivy scanner
compromised
compromised
→
PyPI publish
token stolen
token stolen
→
Poisoned litellm
pushed to PyPI
pushed to PyPI
→
Steals all creds
on install
on install
→
Exfiltrated to
attacker server
attacker server
1
6 Essential Practices
Run MCP Servers in Docker
MCP servers run with your full permissions by default — they can read your SSH keys, credentials, and connect anywhere. Docker isolates each server in its own container.
Use Docker MCP Toolkit to run MCP servers in containers
Don't run unknown MCP servers directly on your machine
Enable Claude Code Sandbox
The
/sandbox command restricts what bash commands can access — filesystem paths and network domains. A critical safety layer for everything Claude runs.
Run
/sandbox and add denyRead for ~/.ssh, ~/.awsDon't skip this because "I trust my tools"
Guard Your API Keys
API keys are like passwords — anyone who has them can use your account and run up charges. Keep them in
.env files (not pasted into code) and never share them.
Keep
.env in your .gitignore so keys never get pushed to GitHubRotate keys immediately if you think they've been exposed
Don't paste API keys into files that get shared or committed to Git
Don't give keys to MCP servers or tools you haven't vetted
Pin Dependencies With Hashes
This attack worked because tools pulled "latest" versions automatically. Pin exact versions and verify file hashes so tampering is caught.
Use
pip-compile --generate-hashes for PythonDon't use
pip install package without version pinsVet Before You Install
There is no built-in security scanner for MCP servers or skills. You must check: What does it connect to? What permissions does it need? Does it include auto-executing hooks?
Read skill
.md files and check for hooks before installingDon't install plugins just because they look useful
Control Network Egress
Even if malware runs, it can't steal data if it can't phone home. Restrict which domains your tools can reach — sandbox network controls block unauthorized connections.
Configure
allowedDomains in sandbox settingsDon't allow unrestricted network access from dev tools
2
What Protects Against What
| Attack Stage | Claude /sandbox | Docker MCP | Key Hygiene | No Protection |
|---|---|---|---|---|
| Reads ~/.ssh, ~/.aws | Blocked* | Blocked | Partial | Exposed |
| Steals API keys from env | Not blocked | Blocked** | Partial | Exposed |
| Sends data to attacker | Blocked | Blocked | Partial | Exposed |
| Installs persistent backdoor | Blocked | Blocked | Not blocked | Exposed |
| Poisoned MCP dependency | Not blocked | Contained | Partial | Full access |
| Crashes your machine | Partial | Contained | Not blocked | Crash |
* Only if denyRead configured for those paths
** Only if you don't pass keys as env vars into the container
Key Hygiene prevents Git leaks but not in-process theft — malware can still read loaded env vars at runtime
3
Your Security Checklist
◆ Before Installing a Tool
Check the source repo and author
Read the skill .md files for risky tools (Bash, Write, WebFetch)
Look for hooks — shell scripts that auto-execute
Check if it bundles MCP servers
Verify dependencies are pinned
◆ While Using Claude Code
Enable /sandbox with denyRead for sensitive paths
Run MCP servers via Docker MCP Toolkit
Review commands before approving them
Keep API keys in .env files, never in code or Git
Use /permissions to audit tool access
◆ If Something Seems Wrong
Machine suddenly slow? Check for runaway processes
Unexpected network calls? Check sandbox logs
Rotate any exposed API keys immediately
Check for new files in ~/.config/ or systemd
Run pip list to check installed package versions
Claude Code Quick Security Commands
/sandbox
Enable OS-level isolation
/permissions
Audit all access rules
/plugin
Review installed plugins
/context
See what's loaded in session
💻
Windows Users: Enabling /sandbox
/sandbox is not yet available on native Windows. If you're on WSL2, you can enable it:
- Open your WSL2 terminal (Ubuntu recommended)
- Install Claude Code inside WSL2:
curl -fsSL https://claude.ai/install.sh | bash - Install sandbox dependencies:
sudo apt-get install bubblewrap socat - Run
claudeto launch Claude Code - Run
/sandboxand enable it
Official Claude Code docs:
Sandboxing Guide · Setup (WSL2) · Permissions · Security · Troubleshooting
Sandboxing Guide · Setup (WSL2) · Permissions · Security · Troubleshooting
No single tool is fully secure by default. Defense in depth — multiple overlapping protections — is the only reliable strategy.
Start with
/sandbox, add Docker for MCP servers, and never put raw API keys where any dependency can read them.