LiteLLM PyPI Packages Hijacked with Credential-Stealing Malware

A supply chain attack hit LiteLLM, the popular open-source LLM proxy that lets developers call 100+ AI providers through a single API. Versions 1.82.7 and 1.82.8, published to PyPI on March 23-24, contained malware designed to steal every credential on your system.

This one is bad. If you installed either version, treat every secret on that machine as compromised.

How the Attack Worked

The attacker compromised LiteLLM maintainer krrishdholakia's PyPI account, likely through a poisoned Trivy security scanner dependency in the project's CI/CD pipeline. LiteLLM's build process installed Trivy without pinning a specific version, so the attacker swapped in a modified copy that harvested CI/CD secrets, including the PyPI upload token.

With those credentials in hand, the attacker published two malicious versions directly to PyPI. Neither version exists as a tag on LiteLLM's GitHub repo. They were uploaded exclusively by the attacker's account (teampcp).

Version 1.82.7 embedded its payload inside litellm/proxy/proxy_server.py, which runs when you import the library. Version 1.82.8 went further: it added a file called litellm_init.pth (about 34KB) that executes on any Python startup, even if you never explicitly import LiteLLM. That means simply having v1.82.8 installed in your Python environment would trigger the malware.

What It Stole

The malware harvested SSH keys, environment variables (which typically contain API keys and secrets), AWS/GCP/Azure/Kubernetes credentials, cryptocurrency wallet files, database passwords, SSL private keys, shell history, and CI/CD configuration files. It encrypted everything with AES-256-CBC and RSA-4096, then sent it via POST requests to models.litellm.cloud, a domain registered just hours before the malicious packages appeared.

For a library whose entire purpose is proxying requests to AI providers, this is particularly damaging. LiteLLM users typically have API keys for OpenAI, Anthropic, Google, and other providers sitting in environment variables on the same machine.

What to Do Right Now

PyPI has quarantined the entire LiteLLM package. The LiteLLM team has rotated maintainer accounts and brought in Google Mandiant for incident response.

If you ran either affected version:

• Check for litellm_init.pth in your Python site-packages/ directory
• Rotate every credential on affected systems: API keys, cloud provider tokens, SSH keys, database passwords
• Review access logs for any services those credentials could reach
• Pin exact dependency versions against verified GitHub releases going forward

The broader lesson applies to every team running open-source AI infrastructure: pin your dependencies, verify package integrity against source repos, and use PyPI's Trusted Publishers (OIDC-based publishing) instead of long-lived API tokens. LiteLLM's GitHub already has an open issue proposing exactly that migration.

This is the second major supply chain attack targeting AI tooling in 2026. The attack surface keeps growing as more teams build production systems on top of open-source LLM libraries that were never designed with enterprise security in mind.