“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” stated the Python Packaging Authority (PyPA) in light of the recent supply chain attack on LiteLLM.
The attack, which targeted versions 1.82.7 and 1.82.8 of LiteLLM, was executed through an injection of credential-stealing code via Trivy in the CI/CD pipeline. This malicious code was embedded in the file litellm_init.pth and was published on the Python Package Index (PyPI) on March 24, 2026, at approximately 8:30 UTC.
Shortly after the malicious packages were published, PyPI quarantined them at 11:25 UTC on the same day, but not before the compromised versions had already infiltrated numerous environments. It is estimated that 36% of cloud environments utilizing LiteLLM may have been affected.
The payload of the attack is particularly concerning as it targets environment variables, SSH keys, and cloud credentials, exfiltrating harvested data to domains controlled by the attackers, known as TeamPCP. This group has a history of compromising various ecosystems, including GitHub Actions and Docker Hub.
As the attack unfolded, TeamPCP boasted, “These companies were built to protect your supply chains yet they can’t even protect their own; the state of modern security research is a joke, as a result we’re gonna be around for a long time stealing terabytes of trade secrets with our new partners.”
Gal Nagli, a security expert, remarked, “The open source supply chain is collapsing in on itself,” highlighting the broader implications of this incident for the open-source community.
In response to the attack, users are urged to audit their environments for the compromised LiteLLM versions and to revoke any exposed credentials immediately. The Python Packaging Authority has also published a security advisory regarding the compromise.
As the dust settles, experts warn that “This campaign is almost certainly not over,” according to Endor Labs, indicating that further vulnerabilities may still be exploited.
Details remain unconfirmed regarding the full extent of the damage caused by this attack, but the ramifications for security in open-source projects are already being felt.
