Recent reports have identified a supply chain attack targeting LiteLLM and Trivy, two widely used developer tools. While these incidents highlight the evolving risks in the digital landscape, we want to provide immediate clarity on what this means for the digital community.

What happened in the supply chain attack?

A security advisory recently identified a credential-stealing supply chain attack targeting specific Python-based developer tools. These types of attacks aim to compromise the software delivery pipeline itself, potentially exposing sensitive data or credentials.

Does this cyber attack affect your eCommerce business? 

At Velstar, we prioritise stability and risk reduction for every brand we support. This incident has no direct impact on our clients, as we do not use LiteLLM or Trivy in any of our projects or delivery pipelines, meaning our infrastructure remains unaffected. We also maintain strict control over our development environments to ensure that supply chain vulnerabilities do not translate into risks for your business.

How Velstar secure your commerce ecosystem

Security isn’t a one-off fix; it’s a continuous commitment to protecting your revenue and customer data. This incident is a practical reminder that modern threats don’t always come through the front door. Attackers increasingly target the software supply chain, not just the end product.

We recommend the following technical disciplines to maintain a secure environment:

• Apply the principle of least privilege: Restrict every API key to the minimum access required. For frontend services like Google Maps or analytics, always use domain restrictions to prevent unauthorised use.
• Utilise IP whitelisting: For server-to-server communication, restrict keys to known static IPs so they cannot be used outside your network.
• Use short-lived credentials: Prefer short-lived tokens or OAuth flows over long-lived API keys. Revoke inactive credentials immediately.
• Manage secret keys securely: Never share passwords or keys via email or chat. We use secure, encrypted credential vaults or password managers to manage all sensitive access credentials.
• Maintain supply chain awareness: Third-party tools and dependencies are reviewed and pinned, so that a compromise upstream does not automatically become a risk for our clients.

Work with a security-first eCommerce partner

At Velstar, we help brands build and maintain secure, high-performing eCommerce environments that protect both revenue and customer data. If you’d like to learn more about how we can support your business, speak to the Velstar team today.