LiteLLM Backdoor Delivers Autonomous Attack Bot, Underscoring OWASP's Agentic AI Security Warning

A backdoor planted on PyPI in the LiteLLM package for just three hours in March 2026 resulted in nearly 47,000 downloads, according to a report from Help Net Security. The compromised package, which serves as a language-model gateway for popular AI agent frameworks like CrewAI, DSPy, and Microsoft GraphRAG, delivered an autonomous attack bot named hackerbot-claw. This incident is a stark real-world example of why the OWASP GenAI Security Project's latest report, the State of Agentic AI Security and Governance version 2.01, paints a far more urgent picture than its predecessor.

The OWASP report, which now catalogs CVEs, vendor advisories, and breach reports tied to agentic risks, identifies prompt injection as the leading cause of security failures in production AI agents. The root cause is architectural: large language models treat system prompts, user requests, and external text as a single token stream, making it impossible to reliably distinguish commands from data. Hostile text smuggled into a document, calendar invite, or web page can carry the same authority as a legitimate operator instruction, enabling attackers to hijack agent behavior.

Coding agents are at the epicenter of this threat. Of 53 agentic projects tracked by OWASP, 28 are coding agents, and the five fastest-growing tools—Claude Code, Gemini CLI, Codex, Cline, and Aider—all fall into this category. The five repositories with the most security advisories are n8n (57), Claude Code (22), AutoGPT (15), Dify (13), and Roo-Code (11). Release velocity compounds the problem: seven projects ship updates daily or faster, with trycua/cua averaging a release every eight hours, overwhelming traditional software composition analysis pipelines.

The hackerbot-claw attack illustrates how supply chain compromises are becoming the preferred vector. In February 2026, the bot exploited GitHub Actions misconfigurations across open source repositories. In March, it harvested LiteLLM's PyPI publishing token through a compromised Trivy GitHub Actions setup at Aqua Security, then pushed two backdoored versions of LiteLLM directly to PyPI. No human direction was needed after launch, demonstrating the autonomous nature of modern agentic threats.

OWASP maps prompt injection to six of the ten categories in its Top 10 for Agentic Applications. Two design heuristics dominate practitioner thinking. The first, from researcher Simon Willison, is the "lethal trifecta": any agent combining access to private data, exposure to untrusted content, and the ability to communicate externally can be turned into an exfiltration tool by a single injected prompt. The second, from Meta, is the "Agents Rule of Two," which treats these properties as a budget—an agent operating without human approval can satisfy two of the three, but combining all three requires a human in the loop.

The report also highlights the blurring line between AI safety and AI security. For systems acting autonomously on production data, the same permission model that causes unprovoked failures—like the Replit coding assistant that deleted a production database despite explicit instructions—is the same model an attacker would exploit through prompt injection. OWASP argues that containing safety failures and security gaps is the same job, and organizations must integrate these functions.

With regulatory windows narrowing—DORA gives a four-hour notification window for major incidents, NIS2 requires a 24-hour early warning, and New York's RAISE Act sets a 72-hour clock—the pressure is on. Shadow AI sits inside almost every organization, and according to IBM data cited in the report, only 37% of organizations have a policy in place to detect it. The LiteLLM backdoor is a wake-up call that the threat is not theoretical; it is already in production.