semantic-router versions >=0.1.8 and <0.1.15 specify a dependency on litellm>=1.61.3 without an upper bound, which allowed pip to resolve the dependency to a compromised litellm wheel version 1.82.8 during the period it was the latest on PyPI. The malicious litellm wheel includes a litellm_init.pth file that executes automatically on Python interpreter startup, collecting environment variables, cloud credentials (AWS, GCP, Azure), SSH keys, Kubernetes configs, shell history, database credentials, CI/CD secrets, and cryptocurrency wallets. The collected data is encrypted and exfiltrated to a remote server. The vulnerability is tracked as CVE-2026-42208 and fixed in semantic-router 0.1.15 by requiring litellm>=1.83.7. Workarounds include pinning litellm to safe versions, auditing for the malicious pth file, and rotating exposed credentials.

A fresh install of affected semantic-router versions during the window when litellm 1.82.8 was available could have installed the malicious litellm wheel, leading to automatic execution of malicious code on Python startup. This results in exfiltration of highly sensitive information including environment variables, cloud service credentials, SSH keys, Kubernetes configurations, shell history, database credentials, CI/CD secrets, and cryptocurrency wallets. This compromises confidentiality of critical secrets and credentials in affected environments.

A fix is available in semantic-router version 0.1.15, which raises the minimum litellm version to 1.83.7, avoiding the compromised 1.82.8 release. Users unable to upgrade immediately should explicitly pin litellm to versions >=1.83.7 and exclude 1.82.8. Additionally, audit site-packages directories for the presence of litellm_init.pth and remove it if found. Rotate any credentials that may have been exposed in environments where the affected versions were installed and run during the vulnerable window.