LiteLLM PyPI compromise shows supply-chain risk

Two malicious LiteLLM releases — v1.82.7 and v1.82.8 — were published to PyPI on March 24, 2026 and have been identified as carrying injected credential‑stealing code. (docs.litellm.ai) Investigators say the attacker obtained the maintainer’s publish credentials after compromising a Trivy security scanner used in LiteLLM’s CI/CD pipeline, then uploaded the two poisoned packages directly to PyPI. (snyk.io) The two backdoor methods differed: v1.82.7 placed a payload inside litellm/proxy/proxy_server.py that triggered on import, while v1.82.8 added an executable litellm_init.pth so the code could run at Python startup. (github.com) The malicious code is reported to have exfiltrated SSH keys, cloud provider credentials (AWS/GCP/Azure), Kubernetes tokens, CI/CD secrets and cryptocurrency wallets, and TeamPCP has claimed large-scale harvesting though those totals remain independently unverified. (bleepingcomputer.com) PyPI suspended the litellm project and removed the compromised files within hours of publication, LiteLLM published an incident security update and identified v1.82.6 as the last known‑clean release. (docs.litellm.ai) Researchers warn the package’s reach amplifies impact: analyses show LiteLLM is embedded across major AI agent frameworks and cloud fleets and registers millions of daily downloads, making unpinned transitive dependencies a key vector for lateral exposure. (comet.com)