Last week I covered the supply chain attack on LiteLLM — credential-stealing malware had compromised the popular AI gateway on PyPI. Now there’s an aftershock that makes the story even bigger.
LiteLLM Switches Compliance Providers
LiteLLM CTO Ishaan Jaffer publicly announced on Monday that his company is ending its relationship with compliance startup Delve. Instead, LiteLLM will re-certify through Delve competitor Vanta and bring in an independent third-party auditor to verify its compliance controls.
On the surface, this sounds like a routine business decision. But the backstory is explosive.
The Whistleblower
An anonymous whistleblower going by the name ‘DeepDelver’ has accused Delve of faking compliance audits for its customers. The allegations include generated fake data and auditors who rubber-stamped reports without proper verification. As evidence, the whistleblower presented a video and Slack messages.
Delve CEO Karun Kaushik has denied the accusations and offered free re-tests and audits to all customers. But the damage seems done — LiteLLM is the first high-profile client to publicly walk away.
Why Developers Should Care
This story exposes a structural problem: if the company certifying your security compliance is itself doing questionable work, your certificate is worth nothing. Millions of developers use LiteLLM as a gateway to various AI models. The possibility that the compliance infrastructure behind it was standing on shaky ground is concerning.
For the open-source community, this is a wake-up call. Supply chain security doesn’t end at the code — it encompasses the entire chain, including the companies that perform security audits.
Sources: