LiteLLM supply‑chain breach
A supply‑chain attack in LiteLLM’s Python packages stole credentials from millions of environments, exposing agent runtimes and developer secrets — the incident forced rapid containment and spawned community scanners within 24 hours. Engineering controls like dependency pinning, code signing and supply‑chain telemetry were highlighted as immediate mitigations after SAP LeanIX containment and a free scanner release from Point Wild. (medium.com) (prnewswire.com)
Malicious LiteLLM releases 1.82.7 and 1.82.8 were published to PyPI on March 24, 2026 and the project paused new releases while investigating the incident. (penligent.ai) Version 1.82.8 introduced a litellm_init.pth that executes at Python interpreter startup, while 1.82.7 carried a payload inside litellm/proxy/proxy_server.py — turning the compromise into an interpreter-wide credential harvest vector. (penligent.ai) The backdoor operated as a multi-stage credential stealer that exfiltrated SSH keys, cloud provider credentials and API tokens, and included components that enabled lateral movement into Kubernetes clusters and persistent backdoors on nodes. (bleepingcomputer.com) Security researchers and vendors attribute the operation to threat group “TeamPCP,” which used an earlier Trivy compromise to harvest a PYPI_PUBLISH token and then pushed poisoned packages as part of a broader campaign across Trivy, Docker Hub, npm and PyPI. (thehackernews.com) Vendors reported large-scale exposure metrics: Point Wild estimated roughly 3 million daily downloads for LiteLLM and announced about 500,000 credentials confirmed stolen, while other analysts put LiteLLM’s usage at ~95 million downloads per month (≈3.4M/day). (prnewswire.com) PyPI quarantined the malicious releases within roughly an hour to 90 minutes after publishing (publish timestamps reported ~10:39 and ~10:52 UTC, quarantine observed around ~11:25 UTC), but the short window still allowed wide downstream exposure. (threatlabsnews.xcitium.com) Responses included immediate containment playbooks: LiteLLM paused releases, SAP LeanIX published mitigation/containment guidance for customers, and Point Wild released a free scanner named who-touched-my-packages within 24 hours to detect malicious package behaviors and credential exfiltration. (docs.litellm.ai) Post‑incident advisories converged on concrete engineering controls — pinning runtime/dependency versions, signing release artifacts, improving supply‑chain telemetry and replacing env-var secrets with ephemeral secret stores — after investigators traced the vector to an unpinned Trivy component in the CI/CD pipeline. (penligent.ai)
