LiteLLM supply‑chain breach

Two malicious LiteLLM releases — v1.82.7 and v1.82.8 — were published to PyPI on March 24, 2026 and remained live from 10:39 UTC for about 40 minutes before PyPI quarantined the packages. (docs.litellm.ai) Version 1.82.7 delivered a payload inside litellm/proxy/proxy_server.py, while v1.82.8 introduced a litellm_init.pth launcher that executes at Python interpreter startup, widening the attack surface beyond simple imports. (penligent.ai) The LiteLLM team says the intrusion likely originated via the Trivy dependency used in its CI/CD security scanning workflow, and maintainers have rotated accounts and paused new releases while scanning the supply chain. (docs.litellm.ai) Threat researchers attribute the poisoned PyPI uploads to the TeamPCP campaign, which used a compromised maintainer account to deface repos, wipe personal repos, and expose roughly 70 private BerriAI repositories in an automated sweep. (boostsecurity.io) LitellM’s wide adoption magnified downstream risk — security firm Snyk reported the library was being downloaded millions of times per day, and at least one downstream victim, Mercor, confirmed a breach with extortion group posts alleging roughly 4TB of stolen recruitment data including resumes, recorded interviews, and identity documents. (techcrunch.com) Incident response so far included PyPI quarantines, removal of the compromised releases, scanning of CircleCI builds and repositories, and coordination with external forensics and cloud incident teams while maintainers warn no new LiteLLM releases will ship until the chain is fully verified. (github.com)