Incident Scoping Via Reproducible Download Measurement

Issue 84 Edition 2026-03-25 4 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-03-26 03:27

Key takeaways

Exposure to the compromised LiteLLM releases was estimated by querying the BigQuery PyPI dataset for downloads during the time window when the affected versions were live on PyPI.
During the 46-minute period when the exploited LiteLLM packages were live on PyPI, versions 1.82.7 and 1.82.8 were downloaded 46,996 times.
Eighty-eight percent of packages that depend on LiteLLM did not pin versions in a way that would have avoided the exploited version.

Exposure to the compromised LiteLLM releases was estimated by querying the BigQuery PyPI dataset for downloads during the time window when the affected versions were live on PyPI.

During the 46-minute period when the exploited LiteLLM packages were live on PyPI, versions 1.82.7 and 1.82.8 were downloaded 46,996 times.

Eighty-eight percent of packages that depend on LiteLLM did not pin versions in a way that would have avoided the exploited version.

What was the exact BigQuery query (tables, filters, and time bounds) used to compute the download estimate, and can it be reproduced exactly?
How many of the counted downloads correspond to unique installs or unique downstream environments (as opposed to repeated CI downloads or mirroring behavior)?
What specific exploit or malicious behavior was present in the compromised LiteLLM versions, and what conditions were required for it to execute?
How was the dependent package set defined and collected for the 88% version-pinning statistic (e.g., direct vs transitive dependents, source of dependency graph)?
What exact constraint patterns were classified as "would have avoided the exploited version," and were common specifiers (ranges, compatible release operators) treated consistently?

Security tooling and software supply chain monitoring demand may rise as teams seek faster, reproducible incident scoping using public telemetry.
Organizations may prioritize dependency management hygiene because loose version constraints can amplify exposure during compromised package windows.
Maintainers and platform providers may invest in rapid detection and response to high velocity downloads of compromised releases.

Publication of a fully reproducible BigQuery methodology for download measurement that others can run and validate.
Independent analyses showing how many downloads map to unique installs or distinct environments rather than repeated CI or mirroring.
Clear disclosure of malicious behavior and execution conditions for the compromised versions, plus verified impact assessment.

Reproduction attempts show the download estimate is not robust to query choices, time bounds, or filtering decisions.
Evidence that most downloads were automation or mirroring and did not correspond to real deployments or environments.
Reanalysis finds the 88 percent dependency version pinning statistic depends on a narrow or biased dependent set definition.