LiteLLM ditches Delve security firm after malware incident, will recertify with Vanta

LiteLLM, a company whose AI gateway software is used by millions of developers, has publicly announced it is terminating its relationship with the compliance startup Delve and will redo its security certifications with another provider. The decision follows a severe security incident last week where LiteLLM's open source version was compromised by credential-stealing malware.

Prior to the attack, LiteLLM had obtained two security compliance certifications by hiring Delve, an AI compliance startup. Such certifications are intended to verify that a company has established procedures to minimise potential security incidents.

Delve Under Scrutiny

The move comes amid serious allegations against Delve. The startup has been accused of misleading its customers about their true compliance status by allegedly generating fake data and using auditors who rubber-stamped their reports. Delve's founder has denied these allegations and offered free re-tests and audits to all customers.

This denial prompted an anonymous Delve whistleblower to double down on the claims over the weekend, releasing alleged evidence to support them.

LiteLLM's New Path

On Monday, LiteLLM's Chief Technology Officer, Ishaan Jaffer, posted on the social media platform X that his company will now use Delve's competitor, Vanta, to re-certify its security posture. Furthermore, LiteLLM will engage its own independent third-party auditor to verify its compliance controls.

The decision represents a significant vote of no confidence in Delve from a high-profile client following a damaging security breach. The incident highlights the critical importance of robust, verifiable security certifications in the AI and software development sector, where gateways manage access to powerful and sensitive models.