My minute-by-minute response to the LiteLLM malware attack
4 hours ago
- #System Shutdown
- #Claude Code
- #Process Analysis
- Claude Code v2.1.81 had 5 instances running at shutdown time.
- Shutdown timeline: initiated at 01:36:33, stalled at 01:36:36, and system booted at 01:37:11.
- Process tree included normal MCP server bridges and a deadlocked uv run chain.
- 14 orphaned python -c processes were found, all stuck reading from a dead pipe.
- The exec(base64.b64decode('...')) pattern is not malware but a safe transport mechanism for Python tooling.
- The 11k process storm was likely a runaway spawning loop from a Claude Code tool/agent interaction or a uv run script.
- No persistence mechanisms or malicious indicators were found.
- Recommendations include checking for looping agents, using killall python3.13, and setting process limits.