PyPI LiteLLM trojaned
The popular LiteLLM PyPI package was compromised in a supply-chain attack that injected a backdoor capable of stealing credentials from projects that use it — this hit an ecosystem of AI gateways and agent tools. The incident highlights real-world dependency risk for Python projects and prompted emergency advisories from security trackers. (x.com) (bankinfosecurity.com)
Malicious LiteLLM releases 1.82.7 and 1.82.8 were published to PyPI on March 24, 2026, with version 1.82.8 introducing a litellm_init.pth file that executes code on every Python interpreter startup. (penligent.ai) Multiple incident reports and platform advisories attribute the uploads to the threat actor TeamPCP and link the compromise to an exposed publishing/API token stemming from the earlier Trivy breach. (csoonline.com) Analysts describe a three‑stage payload that harvested cloud credentials (AWS, GCP, Azure), Kubernetes configuration files, SSH keys, GitHub tokens and cryptocurrency wallet data, then encrypted exfiltrated material before sending it to attacker infrastructure. (bastion.tech) Researchers and industry posts estimate LiteLLM’s footprint at roughly 95–97 million downloads per month and list direct dependents such as CrewAI, Browser‑Use and Opik, which amplified the incident’s cascading impact across AI gateways and agent frameworks. (comet.com) PyPI removed the malicious releases the same day, while LiteLLM’s maintainers reported rotating publishing credentials, pausing new releases, and engaging external forensic assistance reportedly including Google Mandiant. (docs.litellm.ai) Technical recommendations coming from post‑incident analyses include searching site‑packages for unexpected.pth files (for example litellm_init.pth), verifying installed versions with pip (e.g., pip show litellm or pip list), and performing immediate CI/CD token and secrets audits. (penligent.ai) Incident response advisories uniformly instruct affected environments to rotate any credentials accessible to processes that ran the compromised versions and to adopt short‑term mitigations such as dependency pinning and reproducible builds while the supply chain is reviewed. (bastion.tech) Concrete project ideas directly inspired by this attack include building a Python scanner that inspects virtualenv/site‑packages for packages that install.pth files and a CI gate that rejects builds when transitive dependencies publish new releases—both mirror detection and hardening steps in the public analyses. (penligent.ai)
