OPEN LINK ↗
// 63d agoSECURITY INCIDENT
LiteLLM supply-chain attack spurs alternatives
LiteLLM's compromised PyPI releases turned a common LLM gateway into a supply-chain risk for teams that weren't pinning dependencies tightly. The thread reads like a migration shortlist: Bifrost for the closest drop-in swap, Kosong for agent-heavy orchestration, and Helicone for observability-first routing.
// ANALYSIS
This is the kind of incident that turns an API wrapper into critical infrastructure overnight, and the "alternatives" are really three different stack choices.
- –Bifrost is the nearest like-for-like replacement if you want the same OpenAI-compatible gateway shape; it is Go-native, Apache 2.0, supports 20+ providers, and mostly asks you to change the base URL.
- –Kosong is the most interesting if your app is really an agent runtime. It comes out of MoonshotAI/Kimi CLI and focuses on message normalization and async tool orchestration, not just provider proxying.
- –Helicone is the heaviest option but also the most complete: gateway routing plus analytics, tracing, and prompt management in one stack.
- –The benchmark claims are strong enough to justify a pilot, but I would still verify them on your own workload before moving production traffic.
- –The bigger lesson is supply-chain hygiene: pin exact versions, isolate secrets, and assume any gateway dependency can become a blast radius multiplier.
// TAGS
litellmbifrostheliconekosongllmapiopen-sourceself-hosted
DISCOVERED
63d ago
2026-03-25
PUBLISHED
63d ago
2026-03-25
RELEVANCE
8/ 10
AUTHOR
KissWild