LiteLLM PyPI Compromised — Multi-Stage Credential Stealer in 3M-Download Package

AI relevance: LiteLLM is a universal abstraction layer between applications and LLM providers (OpenAI, Anthropic, Google) — it handles API keys, model routing, and authentication for thousands of AI pipelines. Compromising it gives attackers direct access to the credential plane of modern AI infrastructure.

Malicious versions 1.82.7 and 1.82.8 of the litellm package were published to PyPI and remained available for at least two hours before detection. With three million daily downloads, the exposure window was significant. Sonatype blocked the versions within seconds; the incident is tracked as sonatype-2026-001357.

What happened

• The compromised versions contained a three-stage, base64-obfuscated Python payload — a launcher, a credential harvester, and a persistence mechanism.
• Layer 1 exfiltrated initial data, then decoded and executed the second stage.
• Layer 2 performed extensive reconnaissance: system info, SSH keys, Git credentials, AWS/GCP/Azure cloud credentials, Kubernetes configs and service account tokens, Terraform/Helm files, CI/CD secrets, API keys, webhook URLs, and cryptocurrency wallet data. It actively queried AWS APIs and Kubernetes secrets with stolen credentials.
• Layer 3 wrote a Python script (sysmon.py) as a system service, polling a remote C2 endpoint every 50 minutes for further instructions.
• Collected data was encrypted with AES-256-CBC (random session key) then RSA-encrypted with a hard-coded public key before exfiltration.
• Indicators point to threat group TeamPCP, with speculation linking it to LAPSUS$, though attribution remains under investigation.

Why it matters

• LiteLLM sits directly between applications and multiple AI providers — it typically has access to all API keys and environment variables in a deployment.
• This is a textbook AI supply-chain attack: compromise a package at the intersection of AI tooling and developer infrastructure to harvest credentials across the entire stack.
• The multi-ecosystem nature (cloud, CI/CD, Kubernetes, crypto wallets) means a single compromised install can cascade into full environment takeover.
• Two hours on PyPI at three million daily downloads suggests a non-trivial install base may be affected.

What to do

• Verify you are running a clean version of litellm (not 1.82.7 or 1.82.8). Pin to a known-good version.
• If you installed during the window, rotate all API keys, cloud credentials, SSH keys, Kubernetes tokens, and any secrets that were accessible on the affected system.
• Check for sysmon.py persistence and the tpcp.tar.gz exfiltration artifact.
• Use a package integrity tool (Sonatype, pip-audit) to verify PyPI downloads going forward.
• Consider requiring hash-pinned dependencies in production AI pipelines.

Sources

• Sonatype — Compromised LiteLLM PyPI Package Analysis
• GitHub Issue — Initial Public Report
• Sonatype Vulnerability Tracking (sonatype-2026-001357)
• Futuresearch — LiteLLM Supply Chain Attack Analysis