A developer's frozen laptop investigation turned into a supply chain attack discovery when malware in litellm v1.82.8 caused system chaos. The incident began March 24, 2026, with 11,000 processes spawning from poisoned code uploaded to PyPI. What started as routine troubleshooting escalated into identifying credential theft and Kubernetes lateral movement capabilities hidden in the compromised package.

Claude Code played a central role, both as the investigation tool and as a potential vector for the attack. The malware attempted persistence through ~/.config/sysmon/ but was interrupted by a forced reboot. Analysis revealed the attack exploited dependencies, with futuresearch-mcp-legacy pulling the compromised litellm version. The investigation uncovered a .pth file containing malicious code designed for credential theft and network propagation.

From first symptom to public disclosure took just 72 minutes - a timeline made possible by AI-assisted analysis. The developer published a detailed disclosure post within three minutes of writing it, sharing findings across Reddit communities. This case demonstrates how modern AI tools can compress traditional security response timelines from days to minutes, though it also raises questions about whether frontier models should be trained to recognize attack patterns more proactively.