Loading...
Loading...
Multiple reports confirm a supply-chain attack targeting the popular Python AI library LiteLLM on PyPI, specifically versions 1.82.7 and 1.82.8 published March 24, 2026. The trojanized releases added a malicious .pth launcher (and other encoded payloads) that executes on every Python startup—without importing litellm—harvesting SSH keys, cloud and CI/CD credentials, kubeconfigs, env files, and crypto wallets. Researchers say data was encrypted and exfiltrated to models.litellm.cloud, with attempted Kubernetes lateral movement and persistence via backdoors and systemd user services. PyPI quarantined affected files, and users are urged to uninstall, purge caches, hunt for persistence, and rotate all secrets.
Security researchers discovered that litellm PyPI releases 1.82.7 and 1.82.8 contain a malicious litellm_init.pth file that executes automatically when the Python interpreter starts, even without importing the package. The payload is a double base64–encoded credential stealer that harvests system info, environment variables, SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes secrets, Docker and package manager configs, shell history, crypto wallets, SSL private keys, CI/CD files, and other sensitive artifacts. It then encrypts the data with AES-256, wraps the session key with a hardcoded RSA public key, packages the results, and exfiltrates them to remote endpoints. This is a high-severity supply-chain compromise affecting any environment that installed the tainted wheels, posing major risks to developer, cloud, and CI/CD credentials.
PyPI packages litellm versions 1.82.7 and 1.82.8 were found to be maliciously modified; a user discovered a base64-encoded payload in proxy_server.py that writes, decodes and executes another file, causing runaway processes and heavy RAM use. The reporter observed forkbomb-like behavior while setting up a project and has filed an upstream report; the issue is also tracked on the project's GitHub issue (BerriAI/litellm#24512). This is important because compromised open-source packages on PyPI can infect developer environments, CI systems, and downstream software, making supply-chain security and rapid removal/patching critical. Developers should avoid these versions and audit installations.
Researchers discovered a supply-chain compromise in the litellm PyPI package: litellm==1.82.8 includes a malicious litellm_init.pth file that auto-runs whenever the Python interpreter starts, without needing import litellm. The .pth launches a double-base64-encoded payload that harvests system and cloud credentials (SSH keys, AWS/GCP/Azure credentials, Kubernetes secrets, Docker and package manager configs, shell history, crypto wallets, CI/CD and database secrets), encrypts the data with AES-256 and a hardcoded RSA public key, and exfiltrates the archive. The malicious file is listed in the package RECORD, confirming the supply-chain compromise. This incident highlights the severe risk of PyPI package tampering to developer environments, CI systems, and cloud infrastructure security.