Critical Supply Chain Attack Compromises LiteLLM Python Package

A malicious version of the popular LiteLLM Python package was uploaded to PyPI, potentially exposing millions of developers to credential theft in what security researchers are calling one of the most significant AI tooling supply chain attacks to date.

What Happened

On March 24, 2026, developers discovered that LiteLLM versions 1.82.7 and 1.82.8 contained malicious code. According to Sonatype's analysis, the attack was discovered by a developer whose machine began behaving erratically, resembling a forkbomb attack, after installing the package.

Investigation revealed a malicious .pth file that executes automatically on every Python process startup, which would exfiltrate sensitive credentials including:

SSH keys
AWS, GCP, and Azure credentials
Kubernetes configuration files
Git credentials and shell history
Environment variables containing API keys and secrets
Cryptocurrency wallet information
SSL private keys
CI/CD secrets

Scope of Impact

LiteLLM is downloaded approximately 3.4 million times per day, making it one of the most widely used packages in the AI development ecosystem. The package serves as a unified interface for calling multiple AI providers including OpenAI, Anthropic, and Cohere.

Security researchers at Datadog traced the attack to a threat actor known as TeamPCP, who obtained maintainer credentials through a prior compromise of the Trivy security scanner used in LiteLLM's CI/CD pipeline. The malicious versions were available on PyPI for approximately three hours before being quarantined.

Bot Attack on Disclosure

Aikido researchers documented an unusual tactic: when community members began reporting the compromise in GitHub issue #24512, the attackers posted 88 bot comments from 73 unique accounts in a 102-second window, attempting to bury the legitimate reports.

Key Takeaways

LiteLLM versions 1.82.7 and 1.82.8 contained credential-stealing malware
The package has 3.4 million daily downloads, making this a high-impact attack
Developers who installed packages on March 24 should rotate all credentials
The incident highlights ongoing supply chain security risks in AI development

What Happened

Investigation revealed a malicious .pth file that executes automatically on every Python process startup, which would exfiltrate sensitive credentials including:

SSH keys

AWS, GCP, and Azure credentials

Kubernetes configuration files

Git credentials and shell history

Environment variables containing API keys and secrets

Cryptocurrency wallet information

SSL private keys

CI/CD secrets

Scope of Impact

Key Takeaways

LiteLLM versions 1.82.7 and 1.82.8 contained credential-stealing malware

The package has 3.4 million daily downloads, making this a high-impact attack

Developers who installed packages on March 24 should rotate all credentials

The incident highlights ongoing supply chain security risks in AI development