LiteLLM Security Incident

Attackers published backdoored LiteLLM releases v1.82.7 and v1.82.8 to PyPI on March 24, 2026 during a window from 10:39–16:00 UTC; both malicious releases were later removed from PyPI. (docs.litellm.ai) Researchers say the compromise stemmed from a poisoned CI/CD chain that ran a tainted Trivy scanner, which allowed attackers to exfiltrate a PyPI publishing token and push the malicious packages; security vendors and analysts attribute the campaign to the threat cluster known as TeamPCP. (threatbook.io) The implanted payload scanned for environment variables, SSH keys, AWS/GCP/Azure credentials and Kubernetes tokens, and attempted to exfiltrate data via POST requests to models.litellm.cloud, with litellm_init.pth flagged as a local indicator of compromise. (docs.litellm.ai) Projects that installed or upgraded LiteLLM via pip on March 24, 2026 without pinned versions—or that baked unpinned installs into Docker images or CI artifacts—are explicitly listed as potentially affected, while users of the official LiteLLM Proxy Docker image were reported as not impacted. (docs.litellm.ai) Delve, the startup that handled LiteLLM’s SOC 2 and ISO 27001 compliance attestations, has been publicly scrutinized after outlets including TechCrunch highlighted the incident as a stress test of third‑party compliance assurances. (techcrunch.com) Immediate response guidance from the project and multiple security firms urged rotating exposed credentials, searching build artifacts for litellm_init.pth, pinning dependency versions, and auditing CI runners for compromised Trivy instances; several vendors reported the malicious PyPI uploads were removed. (docs.litellm.ai)