On March 24, 2026, malicious versions of litellm appeared on PyPI. Versions 1.82.7 and
1.82.8 carried credential-stealing code that ran on import and, in 1.82.8, on every Python
interpreter startup via litellm_init.pth. Within hours, security teams across the industry
were asking the same question: do we run this package, in which services, and which
environments already executed it? Organizations with indexed SBOM data could answer in minutes.
Organizations without it spent the afternoon grepping lockfiles, polling service owners, and
discovering transitive dependencies they did not know existed.
That gap is what a Software Bill of Materials (SBOM) closes. An SBOM is a machine-readable inventory of every component in a software artifact: name, version, supplier, license, and stable identifiers teams can search when a CVE or a malicious package lands.
What Went Wrong Without Inventory
The failure mode repeats across every major supply chain event. The vulnerable or malicious component is present. Nobody has a single authoritative list tying that component to a running artifact. Response becomes archaeology.
Log4Shell (December 2021). When CVE-2021-44228
published, most organizations could not answer “do we run log4j-core?” in under an hour.
Teams grepped repositories, polled application owners, and built spreadsheets while attackers
moved faster. Industry postmortems consistently cite missing component inventory as the primary
reason triage took days instead of hours.
LiteLLM (March 2026). LiteLLM’s security advisory
documents that litellm==1.82.7 and 1.82.8 were published to PyPI on March 24, 2026 and
remained accessible in some caches for hours. The payload targeted cloud credentials, SSH keys,
and Kubernetes secrets. Teams without environment inventory broadcast remediation instructions
company-wide and waited for replies. Teams with SBOM data linked to deployment records could
scope affected services directly. Securelist’s analysis
notes the malware’s breadth: local filesystem, cloud runtime secrets, Kubernetes clusters, and
crypto wallets in a single package.
June 2026 npm and PyPI campaigns. Our analysis of express-plugin,
the Crossmint impersonation package, and
openblox found the same pattern at smaller scale. A two-file npm
dropper. A 1.4 KB stealer embedded in 1.75 MB of legitimate SDK code. A PyPI package whose
setup.py runs an mshta fetcher on every pip install on Windows. In each case, the first
response question is identical: is this package anywhere in our dependency graph, our CI
runners, or our developer laptops?
Incident response playbooks published in 2026 estimate 4 to 6 hours for manual inventory across repositories, container registries, and CI caches under pressure. Automated SBOM query reduces that step to minutes when the index exists and stays current.
What Changes When Inventory Exists
The workflow difference is not theoretical. When a new CVE or malicious package publishes, teams with indexed SBOMs run a structured sequence:
- Extract the affected purl, CPE, or package coordinate from the advisory.
- Query the SBOM corpus for every artifact containing that component.
- Map hits to owning teams, environments, and business criticality.
- Patch, rebuild, regenerate the SBOM, promote.
Without step 2, step 3 becomes a company-wide survey. ENISA’s SBOM Adoption State of Play 2026 report notes that interoperable, machine-readable formats are what make supply chain transparency operational at scale, not just a compliance checkbox.
An SBOM tells you what you shipped. A Vulnerability Disclosure Report (VDR) tells you what is wrong with it. Together they answer the question that matters when a CVE drops: are we affected, and where? Neither replaces the other. Both belong in the same response workflow.
SBOM Anatomy
An SBOM is not a spreadsheet export. It is a structured document. The two formats teams encounter most often are CycloneDX and SPDX.
{
"type": "library",
"name": "litellm",
"version": "1.82.8",
"purl": "pkg:pypi/litellm@1.82.8",
"licenses": [{ "license": { "id": "MIT" } }],
"hashes": [{ "alg": "SHA-256", "content": "abc123..." }]
}The purl field (Package URL) is what makes cross-tool correlation work. When PyPI quarantines
pkg:pypi/litellm@1.82.8, teams search for that coordinate across every stored SBOM. Name-only
string matching misses transitive aliases and ecosystem differences.
The NTIA minimum elements define the baseline fields regulators reference worldwide:
| NTIA element | CycloneDX field | Used during response |
|---|---|---|
| Supplier name | supplier.name | Identifies who published the component |
| Component name | name | Primary search key |
| Version | version | Separates affected from patched releases |
| Other unique IDs | purl, cpe, swid | Cross-ecosystem matching |
| Dependency relationship | dependencies graph | Traces transitive inclusion |
| Author of SBOM | metadata.tools | Provenance of the inventory document |
| Timestamp | metadata.timestamp | Shows how stale the inventory is |
Stale timestamps are an underreported failure mode. An SBOM generated at build time and never updated describes the artifact at release, not what is running six months later.
Compliance Requirements by Jurisdiction
SBOM requirements are no longer advisory in major markets. The fields differ by sector, but the NTIA minimum elements appear in nearly every framework.
| Jurisdiction | Regulation | Who it applies to | SBOM requirement | Key dates |
|---|---|---|---|---|
| United States (federal) | EO 14028 | Software sold to U.S. federal government | Machine-readable SBOM required in federal procurement | In effect via agency implementation |
| United States (healthcare) | FDA cybersecurity guidance (Section 524B, FD&C Act) | Cyber devices in premarket submission | Machine-readable SBOM with NTIA elements plus support status, end-of-support dates, vulnerability assessment | Statutory requirement for cyber devices |
| European Union | Cyber Resilience Act (Reg. EU 2024/2847) | Manufacturers placing products with digital elements on EU market | Machine-readable SBOM covering at least top-level dependencies, kept current through product lifecycle | Reporting obligations from 11 September 2026; full application from 11 December 2027 |
| European Union (technical) | BSI TR-03183-2 guidance | CRA-aligned SBOM producers | CycloneDX 1.6+ or SPDX 3.0.1+ in JSON or XML | Referenced in CRA technical guidance |
| Cross-sector baseline | NTIA minimum elements | Referenced by FDA, U.S. federal policy, industry frameworks | Seven required fields per component | Published 2021, current baseline |
FDA additions beyond NTIA. Medical device submissions require more than the seven baseline fields. The FDA cybersecurity guidance expects support status (active, legacy, unsupported), end-of-support dates, and a vulnerability assessment tied to risk controls for each component in the SBOM. SPDX or CycloneDX are the accepted machine-readable formats.
EU CRA practical timeline. Manufacturers must report actively exploited vulnerabilities from September 2026. Full SBOM documentation in technical files applies from December 2027. The European Commission’s CRA summary states that reporting obligations cover products already on the market, not only new releases. Building the SBOM pipeline in 2026 means reaching 2027 with inventory already indexed.
Format Comparison
| Format | Maintained by | Primary strength | Typical consumer |
|---|---|---|---|
| SPDX | Linux Foundation | License compliance, legal review | Legal, open source program offices |
| CycloneDX | OWASP Foundation | Vulnerability tracking, CI/CD integration | Security engineering, SRE |
| SWID | ISO/IEC 19770-2 | Enterprise asset management | IT asset management platforms |
We see organizations standardize on CycloneDX for security operations and SPDX where legal review is the primary consumer. The operational requirement is normalization: one query interface across formats.
Generation Pipeline
An SBOM belongs in the build pipeline, not in a quarterly audit. Any tool that emits valid
CycloneDX or SPDX output works. We show specific commands below as examples. Substitute trivy, grype, bomctl, or your platform’s native SBOM export
if your stack already standardizes on a different generator.
Container image (example with syft):
syft payments-api:2.4.1 -o cyclonedx-json=sbom.cdx.jsonNode.js project (example with CycloneDX CLI tooling):
npx @cyclonedx/cdxgen -o sbom.cdx.jsonPython project (example with pip and cyclonedx-bom):
cyclonedx-py environment -o sbom.cdx.jsonThe invariant matters more than the tool: every promoted artifact gets exactly one SBOM, generated from the same build that produced the binary, stored alongside the artifact digest.
{
"metadata": {
"timestamp": "2026-06-20T14:32:11Z",
"component": {
"type": "application",
"name": "payments-api",
"version": "2.4.1"
},
"tools": [{ "name": "syft", "version": "1.4.0" }]
}
}Check metadata.timestamp and metadata.component.version during audits. If they do not match
the artifact you are running, the SBOM is historical data.
Query Workflow During a 2026 Incident
When LiteLLM 1.82.8 published, the search target was pkg:pypi/litellm at versions 1.82.7
and 1.82.8. With indexed SBOMs, that becomes a query instead of a manual hunt.
Example search with jq (any JSON SBOM works):
jq '.components[] | select(.purl | test("pkg:pypi/litellm"))' sbom.cdx.jsonExample version-scoped search:
jq '.components[] | select(.purl == "pkg:pypi/litellm@1.82.8")' sbom.cdx.jsonDedicated SBOM platforms (Dependency-Track, Mend, Snyk, and others) run the same correlation at scale with CVE feed integration. The mechanism is identical: match advisory coordinates against stored inventory.
For the June 2026 npm campaigns we analyzed, the search targets look different but the
workflow is the same. Query for pkg:npm/express-plugin@1.6.6. Query for
pkg:npm/@epsteinlovekids483/crossmint-wallets-sdk-pentest. Query for
pkg:pypi/openblox. Teams with CI and production SBOMs know within minutes whether those
coordinates appear in any build artifact. Teams without them learn from incident response
tickets filed by individual developers.
Adoption Checklist
We use this ordered checklist when rolling out SBOM coverage. Later steps fail without earlier ones.
-
Pick a format standard. CycloneDX for security-led programs. SPDX if legal review is the primary consumer. Document the choice.
-
Generate on every production build. Every artifact that can reach production or CI gets an SBOM at build time. Not on request. Not quarterly.
-
Attach SBOM to artifact metadata. Store alongside the image digest or package version in the registry or artifact store.
-
Index by purl and CPE. Search must work across ecosystems. Name-only matching fails on transitive dependencies and typosquat variants.
-
Wire advisory feeds to the SBOM corpus. New CVEs and malicious package advisories trigger automated inventory search before anyone opens a spreadsheet.
-
Map SBOM components to ownership. Component presence is useless without a team responsible for patching. Link inventory to service catalog entries.
-
Add reachability analysis where possible. A vulnerable library in the SBOM does not mean the vulnerable code path executes. Reachability data reduces false positives.
-
Audit CI pipelines. Workflows that install dependencies and run tests need the same SBOM coverage as production. The LiteLLM attack chain started with compromised CI tooling.
-
Retire spreadsheet inventories. If a spreadsheet and an SBOM disagree, the build pipeline SBOM wins.
What Inventory Does Not Solve
SBOMs do not stop malware from entering a supply chain. They do not replace package signature verification, dependency review, or runtime monitoring. They do not tell you whether a malicious package already executed on a host. They establish the inventory layer that makes every other control auditable and every incident response scoped instead of broadcast.
When we publish threat research on npm and PyPI campaigns, the first operational question from affected organizations is always scope: where did this package land? SBOM data answers that question at scale. Threat intelligence tells you what the attacker shipped. Inventory tells you whether it reached your builds.
The teams that contained the LiteLLM incident fastest were not the ones with the best scanner. They were the ones who already knew what was inside every artifact they ran.
Where Centriole Fits
Everything above can be assembled from separate tools: a generator in CI, a spreadsheet for tracking, a vulnerability database, and manual correlation when an advisory drops. Many teams start there. The friction shows up at the handoffs: the SBOM exists but nobody can search it org-wide, the CVE feed fires but nobody knows which repos are affected, compliance asks for license posture and the answer lives in five different exports.
Centriole is an AI-Powered supply chain security platform built to connect those layers. It is not a replacement for your build pipeline or your incident runbook. It is the inventory and correlation layer that makes the runbook executable at org scale. Here is where it maps to the workflow this post describes.
Generation and inventory
Connect GitHub, GitLab, Bitbucket, container registries, or upload CycloneDX and SPDX files directly. Centriole generates SBOMs from connected sources and indexes every component by purl, version, ecosystem, and supplier across the organization. When the adoption checklist says “generate on every build” and “index by purl,” this is the layer that stores and normalizes that data so it is searchable from one place instead of scattered across registries and CI artifacts.
Scope when an advisory drops
This is the LiteLLM scenario. A malicious or vulnerable package publishes. Centriole’s threat intelligence view crosses external advisories (CVE, GHSA, OSV, CISA KEV) against your stored inventory. A separate malicious-components feed flags packages identified in supply chain attacks and shows which of them appear in your SBOMs. You are not reading a global threat feed and guessing. You are seeing which advisories hit your actual builds.
Search by purl works org-wide: pkg:pypi/litellm@1.82.8, pkg:npm/express-plugin@1.6.6, or
any coordinate from an advisory maps to the sources, projects, and artifacts that contain it.
Triage and prioritization
Raw SBOM plus CVE data produces thousands of matches. Most are not actionable. Centriole correlates vulnerabilities with reachability context, transitive dependency chains, EPSS exploit probability, and KEV status to surface issues that matter in your environment. Each issue shows the dependency path from your application down to the affected component, so engineers know whether they are patching a direct dependency or upgrading a parent package.
The transitive dependency analysis on individual issues traces alternate inclusion paths across sources. That is the difference between “log4j is somewhere in the org” and “log4j is in payments-api via spring-boot-starter, owned by the platform team, reachable in production.”
Compliance and audit evidence
The Compliance dashboard aggregates license posture, SBOM coverage, and compliance signals across every scanned source in the organization. It surfaces copyleft conflicts, unknown licenses, proprietary license issues, and ecosystem breakdowns. Exportable reports give auditors a machine-readable trail tied to actual scan data, not a manually maintained spreadsheet.
Centriole maps open issues to regulatory frameworks your organization cares about: EU CRA, FDA Section 524B, EO 14028 / SSDF, PCI DSS, HIPAA, SOC 2, ISO 27001, NIST SP 800-53, NIS2, DORA, FedRAMP, CMMC, and others. Each framework shows which controls are breached, how many issues are at risk, and estimated penalty exposure. That is the compliance table from earlier in this post, populated from live inventory instead of a quarterly audit exercise.
Cyber risk quantification (CRQ)
Security teams need to prioritize. Leadership teams need numbers. CRQ translates open vulnerabilities into financial exposure: Annualized Loss Expectancy (ALE), residual risk, and per-framework penalty exposure weighted by severity, EPSS, and industry benchmarks (IBM Cost of a Data Breach, Verizon DBIR). When a board asks “how much risk are we carrying from unpatched dependencies,” CRQ gives a defensible answer tied to the same issue data engineers see in triage.
Supply chain trust (MITRE System of Trust)
Before an incident, proactive assessment matters. Centriole’s Trust module scores packages across five pillars informed by the MITRE System of Trust: vulnerability exposure, provenance, monitoring confidence, maintenance health, and legal posture. An org-wide trust score and per-package heatmap show which dependencies are at risk before a CVE forces the conversation. Search by purl to inspect any component’s pillar breakdown and which sources pull it in.
Response and remediation
Findings need to reach the team that can fix them. Centriole integrates with Jira and Linear for ticket creation and status sync. Issue pages include remediation guidance with upgrade ordering for conflicting transitive dependencies. Security insights synthesize CVE trends, KEV exposure, and posture changes into briefings suitable for engineering leads and executives.
For teams building toward the adoption checklist in this post, the practical question is whether you want to wire five tools together or run the pipeline in one place. Either path works. The inventory layer is not optional in 2026. Centriole exists to make it searchable the day an advisory like LiteLLM lands, not the week after.
Request a demo if you want to walk through the workflow with your own repositories.