litellm
LiteLLM PyPI Credential Stealer and Kubernetes Backdoor
TeamPCP compromised LiteLLM PyPI releases 1.82.7 and 1.82.8 with a credential-stealing payload that evolved from a proxy-module trigger to a wheel-level .pth file executed by Python at interpreter startup. The malware harvested environment, SSH, cloud, Kubernetes, package-manager, CI/CD, and wallet secrets, encrypted the archive with a TeamPCP RSA/AES scheme, and exfiltrated it as tpcp.tar.gz. It also attempted user-level persistence and, where Kubernetes permissions allowed, deployed privileged pods to backdoor cluster nodes. The incident is historically important as a stealthy Python-packaging abuse case where the second release executed even when LiteLLM itself was never imported.
- Date
- 2026-03-24
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Compromised Versions
Incident Context
- Motive
- Credential Theft/Lateral Movement
- Attribution
- Advanced Persistent Threat
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 0 days
Evidence
Compromised Artifacts
Indicators and Changes
Hashes
sha256:71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238
External References
- blog.dreamfactory.com/five-supply-chain-attacks-in-twelve-days-how-march-2026-broke-open-source-trust-and-what-comes-next
- docs.litellm.ai/blog/security-update-march-2026
- cycode.com/blog/lite-llm-supply-chain-attack
- stepsecurity.io/blog/litellm-credential-stealer-hidden-in-pypi-wheel
- github.com/BerriAI/litellm/issues/24512
Source Data
Source record: oss/litellm/meta.yaml