“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” stated the Python Packaging Authority (PyPA) in light of a recent supply chain attack that compromised LiteLLM versions 1.82.7 and 1.82.8.
The attack, which injected credential-stealing code into LiteLLM via Trivy in the CI/CD pipeline, was first detected on March 24, 2026, shortly after the malicious packages were published at approximately 8:30 UTC. PyPI acted swiftly, quarantining the compromised versions by 11:25 UTC the same day.
The malware campaign, which began in late February 2026, embedded malicious code in the file litellm_init.pth, targeting sensitive data such as environment variables, SSH keys, and cloud credentials. This alarming breach is part of a broader trend where TeamPCP, the threat actor behind the attack, has previously compromised various security tools and open-source projects.
Gal Nagli, a prominent figure in cybersecurity, remarked, “The open source supply chain is collapsing in on itself.” This sentiment reflects growing concerns about the integrity of security tools designed to protect software supply chains.
TeamPCP’s brazen declaration underscores the severity of the situation: “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke, as a result we’re gonna be around for a long time stealing terabytes of trade secrets with our new partners.”
The implications of this attack are profound, especially considering that approximately 36% of cloud environments utilize LiteLLM. Users are being urged to audit their environments for the compromised versions and to revoke any exposed credentials.
As the cybersecurity community grapples with the fallout, experts from Endor Labs have warned, “This campaign is almost certainly not over.” The ongoing threat highlights the need for vigilance and robust security measures in the open-source ecosystem.
Details remain unconfirmed regarding the full extent of the data exfiltrated to attacker-controlled domains, but the incident serves as a stark reminder of the vulnerabilities inherent in modern software development practices.
