LiteLLM PyPI Releases Hit by Credential-Stealing Malware

A malicious litellm_init.pth file was found in the litellm==1.82.8 PyPI wheel, creating a supply-chain credential stealer that runs on Python interpreter startup without importing litellm. Researchers disclosed that the .pth executes a double-base64 payload which collects host system data (environment variables, SSH keys, cloud credentials, Kubernetes secrets, Docker and package manager configs, shell history, crypto wallets, SSL keys, CI/CD files, database creds, webhook URLs, etc.), encrypts the haul with AES-256 and a hardcoded RSA public key, and exfiltrates it. The package’s own RECORD lists the malicious .pth, and reproduction steps were provided. This compromises developer and CI environments, posing severe risks to cloud accounts, source code, and operational secrets; maintainers and users should immediately revoke exposed credentials, audit systems, and remove the package.

Security researchers discovered that litellm PyPI releases 1.82.7 and 1.82.8 contain a malicious litellm_init.pth file that executes automatically when the Python interpreter starts, even without importing the package. The payload is a double base64–encoded credential stealer that harvests system info, environment variables, SSH keys, cloud credentials (AWS/GCP/Azure), Kubernetes secrets, Docker and package manager configs, shell history, crypto wallets, SSL private keys, CI/CD files, and other sensitive artifacts. It then encrypts the data with AES-256, wraps the session key with a hardcoded RSA public key, packages the results, and exfiltrates them to remote endpoints. This is a high-severity supply-chain compromise affecting any environment that installed the tainted wheels, posing major risks to developer, cloud, and CI/CD credentials.

PyPI packages litellm versions 1.82.7 and 1.82.8 were found to be maliciously modified; a user discovered a base64-encoded payload in proxy_server.py that writes, decodes and executes another file, causing runaway processes and heavy RAM use. The reporter observed forkbomb-like behavior while setting up a project and has filed an upstream report; the issue is also tracked on the project's GitHub issue (BerriAI/litellm#24512). This is important because compromised open-source packages on PyPI can infect developer environments, CI systems, and downstream software, making supply-chain security and rapid removal/patching critical. Developers should avoid these versions and audit installations.

A malicious litellm PyPI release (v1.82.8, and later v1.82.7) published on March 24, 2026 contained a .pth launcher that runs on every Python startup and executed credential-stealing malware. The payload harvested SSH keys, cloud credentials, Kubernetes configs, env files, shell history and crypto wallets, encrypted exfiltrated data to a suspicious domain (models.litellm.cloud), and attempted Kubernetes lateral movement by creating privileged pods that install a persistent backdoor (/root/.config/sysmon/sysmon.py) and systemd user services. The package was uploaded directly to PyPI without corresponding GitHub releases; the maintainer’s GitHub appears compromised and public issue discussion was closed. Users should check for the affected versions, remove the package, purge caches, audit for persistence, and rotate all credentials. The incident has been reported to PyPI and maintainers.

PyPI packages litellm versions 1.82.7 and 1.82.8 have been compromised in a supply-chain attack: malicious actors pushed trojanized releases that can exfiltrate credentials and run arbitrary code. The incident was reported by the project maintainer and analyzed by FutureNet/FutureSearch security researchers, who warn thousands of users may be affected and advise not to update or to roll back to safe versions. This matters because litellm is a Python library used in AI/ML and tooling; compromised dependencies can infect developer environments, CI/CD pipelines, and cloud credentials, amplifying risk across projects and organizations. Developers should audit systems, rotate secrets, and follow PyPI security guidance.

PyPI package LiteLLM v1.82.8 was compromised with a malicious litellm_init.pth file that contained a base64-encoded credential stealer; merely installing the package triggered exfiltration without importing litellm. The attacker harvested a wide range of secrets from affected systems — SSH keys, Git configs, cloud credentials (AWS, Azure), container and package manager tokens, Kubernetes configs, Vault tokens, and many local history and crypto wallet files. PyPI quarantined the package within hours, limiting the exposure window, but users who installed that specific version during the brief window are at risk and should rotate credentials and inspect systems. The incident underscores supply-chain risks in Python ecosystems and need for improved vetting and developer hygiene.

The Python package litellm on PyPI was distributed with a malicious file (litellm_init.pth) in version 1.82.8 that executes a credential-stealing payload whenever any Python interpreter starts, even without importing the package. Security researchers found the .pth file launches a double-base64-encoded script that harvests system and cloud credentials (SSH keys, AWS/GCP/Azure creds, Kubernetes secrets, CI/CD files, shell histories, crypto wallets, Docker and package manager configs, etc.), encrypts the data with AES-256 and a hardcoded RSA key, then exfiltrates it. The compromised wheel lists the .pth in its RECORD, confirming a supply-chain compromise via PyPI. This is a critical threat to developers, CI systems, cloud environments and any systems running Python that install packages from PyPI.

The LiteLLM Python package on PyPI was reportedly compromised in a supply-chain attack, with evidence pointing to a compromised maintainer account (founder/CTO) on GitHub. Users on Hacker News linked malicious PyPI package details and noted the attacker or group 'teampcp' taking credit in recent commits, echoing tactics from a prior Trivy compromise. The incident included mass low-quality spam comments in the project's issue/discussion threads, suggesting attempts to obscure or stifle discussion. This matters because compromised ML/AI libraries can distribute malicious code to downstream developers and organizations, undermining trust in open-source dependencies and highlighting gaps in repository and package-mirror security. Investigations and remediation are needed to protect users.

Researchers discovered a supply-chain compromise in the litellm PyPI package: litellm==1.82.8 includes a malicious litellm_init.pth file that auto-runs whenever the Python interpreter starts, without needing import litellm. The .pth launches a double-base64-encoded payload that harvests system and cloud credentials (SSH keys, AWS/GCP/Azure credentials, Kubernetes secrets, Docker and package manager configs, shell history, crypto wallets, CI/CD and database secrets), encrypts the data with AES-256 and a hardcoded RSA public key, and exfiltrates the archive. The malicious file is listed in the package RECORD, confirming the supply-chain compromise. This incident highlights the severe risk of PyPI package tampering to developer environments, CI systems, and cloud infrastructure security.

A malicious litellm PyPI release (versions 1.82.8 and 1.82.7) published March 24, 2026 contains a litellm_init.pth that auto-executes on Python startup. The payload harvests SSH keys, cloud credentials, .env files, kubeconfigs, and other secrets, encrypts them with a hardcoded RSA key, and exfiltrates them to models.litellm.cloud. It also attempts lateral movement and persistence: reading Kubernetes secrets, creating privileged alpine pods that mount host filesystems, and installing a systemd user backdoor at ~/.config/sysmon/sysmon.py. The malicious package was uploaded directly to PyPI without a GitHub release. Affected users should check for the package, purge caches, search for persistence artifacts, rotate all credentials, and audit Kubernetes clusters. The incident is reported to PyPI and the litellm maintainers.

PyPI packages litellm versions 1.82.7 and 1.82.8 have been compromised in a supply-chain attack; users are warned not to update. The incident was first disclosed by the Litellm team and covered in a blog post by FutureSearch.ai, which details indicators of compromise and the scope—potentially thousands of affected users. Malicious packages on PyPI can execute arbitrary code during install or runtime, posing risks to developer environments, CI systems, and production deployments. The compromise highlights ongoing risks in open-source package ecosystems and the importance of supply-chain protections such as package signing, dependency auditing, and pinned versions. Developers and DevOps teams should audit installs, revert to known-good versions, and follow incident guidance from Litellm and PyPI.