Python supply‑chain attack flagged

On March 24, 2026 two malicious releases of the popular Python package liteLLM — versions 1.82.7 and 1.82.8 — were published to the Python Package Index (PyPI) containing code that harvested credentials from affected systems. (securitylabs.datadoghq.com) The injected code was designed to collect secrets such as API keys, cloud access tokens, and SSH keys from developer machines and runtime environments, then send those secrets to attacker-controlled servers — a result that can give remote access to cloud accounts and build systems. (trendmicro.com) Investigators trace the campaign to a threat actor known as TeamPCP and found the attack moved through developer tooling and package publishing channels: compromised credentials or tooling were used to push malicious package versions to PyPI, which is the central repository Python projects use to install third-party code. (securitylabs.datadoghq.com) The payload operated in multiple stages and used a Python mechanism called a.pth file — a small file that the Python interpreter executes at startup — which meant version 1.82.8 could run its credential-stealing logic as soon as any Python process started, greatly increasing the blast radius; a separate PyPI compromise affecting the Telnyx SDK published malicious versions 4.87.1 and 4.87.2 on March 27, 2026. (phoenix.security) LiteLLM is widely embedded across AI tooling and had been reported with an estimated 95 million monthly downloads before the incident, while the Telnyx SDK has hundreds of thousands of downloads, so the number of downstream projects and CI pipelines exposed was large and diverse. (comet.com) The Python Package Index and several vendor incident reports recommend immediate steps: remove or block the affected package versions, rotate any API keys and cloud credentials that might have been present on compromised hosts, and treat build and runtime environments that used the malicious versions as fully compromised until cleaned and revalidated. (blog.pypi.org)