LiteLLM PyPI release stole credentials

On March 24, 2026, an attacker used a stolen PyPI publishing token to push two malicious releases of LiteLLM, the popular open-source proxy that fronts more than a hundred large-language-model APIs behind a single OpenAI-compatible interface. Versions 1.82.7 and 1.82.8 carried a credential stealer; LiteLLM maintainers BerriAI traced the token theft back to a compromised Trivy scanner that had been running in the project's own CI pipeline.

StepSecurity, which published a teardown of the wheel alongside coverage in The Register, said the two releases shipped identical payloads through different injection points. Version 1.82.7 embedded a base64 blob inside litellm/proxy/proxy_server.py, which only fired when the proxy module loaded. Version 1.82.8 was more aggressive: it placed a 34,628-byte litellm_init.pth file in the wheel's site-packages directory. Python processes every .pth file under site-packages on interpreter startup through the standard site module, so 1.82.8 ran before any application code touched LiteLLM at all. BerriAI said its official LiteLLM Proxy Docker image was not affected, because that build pinned dependencies and did not pull the compromised PyPI artifacts.

The payload swept the host for SSH keys, AWS, GCP and Azure credentials, Kubernetes tokens, Docker credentials, shell history, environment variables, crypto wallets, TLS certificates, and CI/CD configuration. It also made live API calls to AWS Secrets Manager and any reachable Kubernetes API. Stolen material was bundled into tpcp.tar.gz and encrypted with the same RSA/AES pattern StepSecurity attributes to the threat group it calls TeamPCP. Where pod permissions allowed, the malware attempted a privileged pod deployment to reach the underlying node.

BerriAI removed the affected releases from PyPI, deleted publishing tokens, rotated maintainer accounts, paused new releases, and engaged Mandiant for an outside review of its repositories and CI/CD. The Python Packaging Authority issued an advisory telling anyone who had installed and run either version to assume every credential reachable from the LiteLLM environment was exposed and to rotate it from a clean system.

Motive

Credential Theft Lateral Movement

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

Advanced Persistent Threat

• Five Supply Chain Attacks in Twelve Daysblog.dreamfactory.com
• LiteLLM Security Update - March 2026docs.litellm.ai
• LiteLLM Supply Chain Attackcycode.com
• LiteLLM Credential Stealer Hidden in PyPI Wheelstepsecurity.io
• Security: Supply Chain Incidentgithub.com
• LiteLLM loses game of Trivy pursuit, gets compromisedtheregister.com
• Hacker News: LiteLLM maintainer update on compromised PyPI packagesnews.ycombinator.com
• Security: Supply Chain Incident - Friday Townhallgithub.com