litellm PyPI supply‑chain breach

The first malicious wheel appeared on PyPI on March 24, 2026 and researchers report the suspect 1.82.8 artifact was published at about 10:52 UTC before public detection and reporting began. (futuresearch.ai (futuresearch.ai), github.com (github.com)) Analysis of the PyPI artifact shows version 1.82.7 hid a payload in litellm/proxy/proxy_server.py that ran on import, while 1.82.8 added a litellm_init.pth that executes automatically on Python startup (the.pth file in the wheel was roughly 34,628 bytes). (github.com (github.com), stepsecurity.io (stepsecurity.io)) Multiple security teams and incident timelines attribute the upload to the threat actor TeamPCP after the maintainer’s PyPI account (krrishdholakia) was hijacked, and investigators tie the intrusion back to a prior compromise of Trivy used in the project’s CI/CD. (snyk.io (snyk.io), wiz.io (wiz.io)) LiteLLM sees roughly 3.4 million installs per day and security vendors reported the malicious releases were live on PyPI for on the order of hours before removal, creating a substantial short-term exposure window. (snyk.io (snyk.io), sonatype.com (sonatype.com)) Technical analysis from multiple firms states the payload harvested SSH keys, cloud credentials, Kubernetes config files, API keys, and crypto-wallet data and exfiltrated them to attacker-controlled domains registered the same day. (awesomeagents.ai (awesomeagents.ai), mend.io (mend.io)) Open-source maintainers and security blogs have tracked downstream impact — Comet identified direct dependents including CrewAI, Browser-Use, Opik, DSPy, Mem0, Instructor, Guardrails, Agno, and Camel-AI — and published remediation playbooks recommending scanning for litellm_init.pth, removing affected installs, rotating keys and tokens, and pinning or signing artifacts in CI. (comet.com (comet.com), techforward.io (techforward.io))