LiteLLM PyPI Supply-Chain Attack — Malicious Versions 1.82.7 & 1.82.8 Published Directly to PyPI

AI relevance: LiteLLM is the most widely used LLM proxy and routing layer in production AI deployments, handling traffic to 100+ model providers — any compromise of its PyPI distribution directly threatens the security of AI inference infrastructure downstream.

What happened

• DarkAtlas researchers observed that LiteLLM versions 1.82.7 and 1.82.8 published on PyPI in March 2026 contained malicious code absent from the upstream GitHub repository — a classic supply-chain injection.
• TeamPCP attackers previously force-pushed 76 of 77 Trivy version tags to a malicious variant, causing LiteLLM's GitHub Actions CI/CD pipeline to execute the poisoned image and exfiltrate the project's PyPI publishing token.
• The two malicious versions used different injection techniques: 1.82.7 carried a Base64-encoded payload embedded inside proxy_server.py, while 1.82.8 used a different obfuscation method.
• Both versions were designed to steal credentials from infected environments — API keys, cloud tokens, and LLM provider secrets that pass through the proxy layer.
• The attack demonstrates a cascading supply-chain pattern: compromise one tool (Trivy) → poison CI/CD → steal publishing credentials → distribute malicious packages to 95M+ downloads.
• LiteLLM has over 95 million cumulative PyPI downloads, making it one of the most downloaded packages in the AI/ML ecosystem.
• Forcepoint published a detailed breakdown of the TeamPCP LiteLLM compromise, including the credential-stealing mechanics and the GitHub Actions OIDC token abuse.

Why it matters

LiteLLM sits at the center of most production AI inference pipelines — if a malicious version is installed, it gains visibility into every API key, prompt, and response flowing through the proxy. The CI/CD-to-PyPI attack path shows that even projects with clean source code can distribute compromised artifacts when their build pipeline is hijacked. AI teams relying on pip packages for core inference infrastructure need package verification, not just trust in the upstream repository.

What to do

• Verify installed LiteLLM versions: pip show litellm — if running 1.82.7 or 1.82.8 from March 2026, rotate all credentials immediately.
• Use pinned hashes in requirements files or lockfiles rather than floating version specifiers.
• Enable PyPI's provenance verification or use a private package registry with integrity checks.
• Monitor CI/CD pipelines for unauthorized image pulls and suspicious workflow modifications.

Sources

• DarkAtlas — Inside Modern Supply Chain Intrusions: From CI/CD Abuse to Ecosystem-Wide Compromise
• SiliconAngle — Forcepoint details TeamPCP supply chain attack that turned LiteLLM into a credential stealer
• FutureAGI — LiteLLM Compromised 2026: Incident Response and Gateway Migration
• Techzine — TeamPCP compromises Python libraries via supply chain attack