PyPI supply-chain compromise hits LiteLLM

LiteLLM is a Python package that sits between an app and multiple artificial intelligence models, like a universal plug adapter that lets one program talk to OpenAI, Anthropic, and others through one layer. On March 24, 2026, two poisoned LiteLLM releases on the Python Package Index turned that adapter into a credential thief. (blog.pypi.org) The Python Package Index is the main warehouse for Python code, and many teams let servers pull the newest package version automatically during builds. PyPI said the malicious LiteLLM versions were downloaded more than 119,000 times during the attack window, and it estimated LiteLLM normally sees 15 million to 20 million installs a week. (blog.pypi.org) The attack hit versions 1.82.7 and 1.82.8, which were uploaded directly to PyPI after an attacker got access to a maintainer account. LiteLLM said those versions never came through its official GitHub release pipeline, which is why PyPI showed code that the project’s own repository did not. (github.com) (docs.litellm.ai) Version 1.82.7 needed a specific LiteLLM proxy file to be imported before the bad code ran. Version 1.82.8 was worse because it added a `.pth` startup file, which meant the malware could run whenever Python started, even if nobody imported LiteLLM at all. (github.com) The code searched for things developers leave around their machines and servers: environment variables, Secure Shell keys, cloud credentials for Amazon Web Services and Google Cloud, database passwords, and continuous integration files. LiteLLM’s incident post said the goal was credential theft, and the GitHub disclosure listed exfiltration to an attacker-controlled domain that looked similar to the real LiteLLM brand. (docs.litellm.ai) (github.com) PyPI said this was not the usual fake-package scam where attackers hope somebody mistypes a name. This time the malware was injected into a real package that was already widely used, which is closer to replacing medicine inside a trusted bottle than leaving a fake bottle on the shelf. (blog.pypi.org) Mercor then said it was one of the companies hit by the compromise. TechCrunch reported on March 31, 2026 that Mercor confirmed a security incident, said it had contained and remediated it, and brought in outside forensic experts. (techcrunch.com) That detail matters because Mercor is not a tiny test project. TechCrunch said the company, founded in 2023, works with OpenAI and Anthropic, handles more than $2 million in daily payouts, and was valued at $10 billion after a $350 million Series C round in October 2025. (techcrunch.com) PyPI’s own timeline shows how little time teams had to react. The index said the first user report arrived 1 hour and 19 minutes after upload, the package was quarantined 1 hour and 12 minutes later, and the total exposure time was 2 hours and 32 minutes. (blog.pypi.org) LiteLLM said the official Docker image for its proxy was not affected because that image pins exact dependency versions instead of grabbing the latest package at install time. On March 30, 2026, the project released LiteLLM 1.83.0 through a rebuilt pipeline with isolated environments and stronger release controls. (docs.litellm.ai) The ugly lesson is that one compromised package can freeze work far beyond the package itself. PyPI warned that once malware steals publishing tokens, GitHub credentials, or cloud keys from one developer machine, those secrets can be used to poison more packages and keep the cycle going. (blog.pypi.org)