PyPI supply‑chain exfiltration (litellm)

Project disclosure and public issue threads confirm two malicious liteLLM releases were published to PyPI on March 24, 2026: v1.82.7 and v1.82.8. (docs.litellm.ai) Analysis of the builds shows v1.82.7 carried an obfuscated payload inside litellm/proxy/proxy_server.py while v1.82.8 introduced a litellm_init.pth that executes code at Python interpreter startup (no import required). (penligent.ai) The litellm_init.pth file in v1.82.8 was 34,628 bytes and appeared in the wheel RECORD with a matching SHA‑256 entry, providing concrete artifact-level evidence of the injection. (stepsecurity.io) PyPI quarantined the malicious releases and the package was subsequently pulled from the index, and downstream projects including MLflow applied emergency pins to known-clean liteLLM versions. (awesomeagents.ai) Multiple responders and analysis teams attributed the publication to the TeamPCP campaign and traced the chain of compromise to a prior breach of the Trivy scanner used in liteLLM’s CI/CD, which exposed the PyPI publish token. (infosecurity-magazine.com, snyk.io) Technical writeups report the malware packaged harvested secrets into tpcp.tar.gz, encrypted them with a hybrid AES‑256/RSA‑4096 scheme, and exfiltrated data to an attacker-controlled domain models.litellm.cloud. (integrity360.com, docs.litellm.ai) Build-window timelines indicate the malicious wheels were available for a brief interval on March 24, 2026 (roughly between 10:39 UTC and ~16:00 UTC), making any pip installs or Docker builds during that window potential exposure events. (docs.litellm.ai, dev.to)