PyPI liteLLM exploit patched

Malicious litellm==1.82.7 and 1.82.8 were published to PyPI on March 24, 2026 and the tainted releases were deleted or quarantined within roughly three hours, with PyPI action noted by 11:25 UTC. (github.com) Technical analysis shows 1.82.7 carried a payload embedded in litellm/proxy/proxy_server.py, while 1.82.8 added a 34,628‑byte litellm_init.pth file that executes code at every Python interpreter startup. (github.com) Security firms and researchers attribute the uploads to the TeamPCP campaign, which appears to have obtained the maintainer’s PyPI publish credentials after a poisoned Trivy build in the project’s CI/CD leaked secrets to an attacker‑controlled endpoint. (snyk.io) The malicious code attempted to harvest SSH keys, cloud provider credentials (AWS/GCP/Azure), Kubernetes configuration and CI/CD secrets and included tooling for lateral movement and persistence; LiteLLM’s usage footprint (about 3.4 million downloads per day) and presence in an estimated ~36% of cloud environments raised the scale of potential exposure. (infoworld.com) LiteLLM is used as an LLM gateway and explicitly documents integrations with agent frameworks such as the Claude Agent SDK—meaning compromised installs can flow credentials and access into developer agent workflows—and community contributors have already published Claude Code “attack checker” skills to detect the compromise. (docs.litellm.ai) Project maintainers say the malicious PyPI releases have been removed, maintainer accounts and keys were changed or revoked, and incident guidance from the project and multiple security vendors urges teams to audit for litellm==1.82.7/1.82.8, look for litellm_init.pth artifacts, and rotate any possibly exposed credentials. (docs.litellm.ai)