LiteLLM PyPI Supply Chain Attack — Credential Stealer in Versions 1.82.7–1.82.8
AI relevance: LiteLLM is a widely adopted unified API wrapper for LLM providers (OpenAI, Anthropic, Azure, etc.) with millions of daily downloads — the compromised versions were present in roughly 36% of cloud environments, either directly or as a transitive dependency, making this one of the largest blast radii in recent AI infrastructure supply chain history.
- In March 2026, attackers gained access to the LiteLLM maintainer's PyPI account and published malicious versions 1.82.7 and 1.82.8 containing a multi-stage credential stealer.
- The malicious package was live for approximately two hours before removal, but the damage window was enough for significant impact across cloud environments, CI/CD pipelines, and developer machines.
- The payload was discovered by FutureSearch engineers testing a Cursor MCP plugin that pulled LiteLLM as a transitive dependency — the machine became unresponsive due to RAM exhaustion, leading to investigation.
- A
litellm_init.pthfile (34,628 bytes, double base64-encoded) was found insite-packages/, executing code that hooked into the Python runtime at startup. - The malware aggressively harvested environment variables (API keys, tokens), cloud credentials (AWS, GCP, Azure), Kubernetes configs, SSH keys, Docker configs, CI/CD secrets, database credentials, and crypto wallets.
- The attack was linked to the broader TeamPCP group and a previous breach involving Trivy and other tools — a coordinated supply chain campaign, not an isolated incident.
- LiteLLM maintainers posted updates on HackerNews after their GitHub account was also compromised.
Why it matters
LiteLLM sits in the middle of AI infrastructure — it abstracts away provider differences so developers can plug AI into apps without juggling SDKs. That convenience means massive adoption, and massive adoption means a single compromised release has a catastrophic blast radius. Unlike typical malware targeting consumer machines, this payload specifically targeted the high-value secrets that AI infrastructure environments hold: LLM API keys, cloud provider credentials, and CI/CD tokens. No phishing or social engineering was needed — just pip install litellm.
What to do
- Check versions immediately — if you have LiteLLM 1.82.7 or 1.82.8 installed, uninstall and upgrade to a known clean version.
- Rotate all credentials — assume everything is compromised: API keys, cloud credentials, SSH keys, CI/CD tokens. PyPI explicitly recommends this.
- Audit your environment — check for the
litellm_init.pthfile insite-packages/, review access logs, monitor for unusual outbound traffic. - Rebuild from clean state — for high-risk environments, rebuild containers and reprovision infrastructure.
- Pin dependencies — always pin exact versions, use virtual environments, and limit credential exposure to what each service actually needs.