LiteLLM — PyPI supply-chain compromise hits AI gateway
AI relevance: LiteLLM sits in front of model APIs and agent frameworks, so a poisoned package can steal provider keys, CI secrets, and Kubernetes credentials from the exact systems teams use to operate AI workloads.
- LiteLLM says the compromised PyPI versions were 1.82.7 and 1.82.8; both have been removed from PyPI.
- The incident appears to have bypassed the normal GitHub release path and landed as unauthorized PyPI publishes.
- 1.82.7 carried a malicious payload in
proxy_server.py; 1.82.8 addedlitellm_init.pth, which can execute on Python startup even if LiteLLM is never imported. - Published analyses say the payload harvested environment variables, SSH material, cloud credentials, Kubernetes tokens, database secrets, and common
.envfiles. - Multiple reports tie exfiltration to
models.litellm.cloud, which LiteLLM says is not an official BerriAI / LiteLLM domain. - Researchers also describe Kubernetes-aware behavior: dumping cluster secrets when service-account access exists and attempting privileged pod deployment for persistence.
- This matters beyond direct LiteLLM users because the package can arrive transitively through agent frameworks, MCP servers, and LLM orchestration tooling.
- LiteLLM says the official proxy Docker image was not affected because it pins dependencies rather than pulling the compromised PyPI builds.
Why it matters
AI infrastructure is now a first-class supply-chain target. LiteLLM is valuable to attackers precisely because it often centralizes access to OpenAI, Anthropic, Bedrock, Azure OpenAI, vector stores, CI pipelines, and internal connectors. That makes one poisoned package unusually efficient: it can turn a developer box, CI runner, or model gateway into a credential vacuum and a pivot into production clusters. The more teams standardize on shared agent gateways and MCP-style tool plumbing, the bigger the blast radius of a single dependency compromise becomes.
What to do
- Find exposure: inventory every environment that could have installed
litellm==1.82.7or1.82.8, including CI images, ephemeral build runners, dev boxes, and transitive dependency paths. - Treat secrets as burned: rotate model API keys, cloud credentials, SSH keys, database passwords, and Kubernetes tokens that were reachable from affected hosts.
- Hunt for artifacts: check for
litellm_init.pth, unexpected outbound traffic tomodels.litellm.cloud, and persistence files such as~/.config/sysmon/sysmon.py. - Audit Kubernetes: review recent secret access, privileged pod creation, and unusual activity in
kube-systemif affected packages ran inside clusters. - Reduce recurrence: pin Python dependencies, verify release provenance, and isolate agent gateways from broad cloud or cluster-admin permissions.