LiteLLM Dependency Hit by Malware

Security researcher Callum McMahon of FutureSearch opened GitHub issue #24512 after his development machine became unresponsive from a fork‑bomb side effect traced to a newly installed litellm package. (github.com) Two malicious PyPI releases — litellm versions 1.82.7 and 1.82.8 — were identified on March 24, 2026, with 1.82.8 introducing a litellm_init.pth startup hook that executes on Python interpreter start and 1.82.7 carrying a payload in litellm/proxy/proxy_server.py. (penligent.ai) Security firm Snyk’s analysis attributes the compromise to the actor known as TeamPCP and documents a three‑stage payload (credential harvester, encrypted exfiltration, persistent backdoor plus a Kubernetes worm) with an exfiltration domain models.litellm.cloud registered March 23, 2026. (snyk.io) The incident traces back to stolen CI credentials after a poisoned Trivy GitHub Action allowed the attacker to publish the backdoored wheels, and PyPI quarantined the malicious uploads at about 13:38 UTC on March 24, 2026. (snyk.io) LiteLLM’s maintainers reported rotating GitHub, Docker, and PyPI keys and deleting the compromised releases after the attacker used the compromised maintainer account to close and spam the initial disclosure thread. (snyk.io) Because LiteLLM is a widely used AI gateway with reported dependency links into CrewAI, Browser‑Use, DSPy and others and claimed monthly download figures cited around 95 million, security researchers and vendors immediately called for dependency pinning, stricter provenance checks, and hardened CI controls — an escalation covered in TechCrunch’s follow‑up on Delve’s role in security compliance. (comet.com)