LiteLLM PyPI Supply Chain Attack — Credential Stealer in Versions 1.82.7–1.82.8

AI relevance: LiteLLM is a widely adopted unified API wrapper for LLM providers (OpenAI, Anthropic, Azure, etc.) with millions of daily downloads — the compromised versions were present in roughly 36% of cloud environments, either directly or as a transitive dependency, making this one of the largest blast radii in recent AI infrastructure supply chain history.

  • In March 2026, attackers gained access to the LiteLLM maintainer's PyPI account and published malicious versions 1.82.7 and 1.82.8 containing a multi-stage credential stealer.
  • The malicious package was live for approximately two hours before removal, but the damage window was enough for significant impact across cloud environments, CI/CD pipelines, and developer machines.
  • The payload was discovered by FutureSearch engineers testing a Cursor MCP plugin that pulled LiteLLM as a transitive dependency — the machine became unresponsive due to RAM exhaustion, leading to investigation.
  • A litellm_init.pth file (34,628 bytes, double base64-encoded) was found in site-packages/, executing code that hooked into the Python runtime at startup.
  • The malware aggressively harvested environment variables (API keys, tokens), cloud credentials (AWS, GCP, Azure), Kubernetes configs, SSH keys, Docker configs, CI/CD secrets, database credentials, and crypto wallets.
  • The attack was linked to the broader TeamPCP group and a previous breach involving Trivy and other tools — a coordinated supply chain campaign, not an isolated incident.
  • LiteLLM maintainers posted updates on HackerNews after their GitHub account was also compromised.

Why it matters

LiteLLM sits in the middle of AI infrastructure — it abstracts away provider differences so developers can plug AI into apps without juggling SDKs. That convenience means massive adoption, and massive adoption means a single compromised release has a catastrophic blast radius. Unlike typical malware targeting consumer machines, this payload specifically targeted the high-value secrets that AI infrastructure environments hold: LLM API keys, cloud provider credentials, and CI/CD tokens. No phishing or social engineering was needed — just pip install litellm.

What to do

  • Check versions immediately — if you have LiteLLM 1.82.7 or 1.82.8 installed, uninstall and upgrade to a known clean version.
  • Rotate all credentials — assume everything is compromised: API keys, cloud credentials, SSH keys, CI/CD tokens. PyPI explicitly recommends this.
  • Audit your environment — check for the litellm_init.pth file in site-packages/, review access logs, monitor for unusual outbound traffic.
  • Rebuild from clean state — for high-risk environments, rebuild containers and reprovision infrastructure.
  • Pin dependencies — always pin exact versions, use virtual environments, and limit credential exposure to what each service actually needs.

Sources