LiteLLM Compromised: Credential Stealer in PyPI Package
LiteLLM versions 1.82.7 and 1.82.8 contain a credential-stealing payload that exfiltrates SSH keys, cloud credentials, and crypto wallets to a lookalike domain. The package has 97 million monthly downloads.
5 min read
LiteLLM - the Python package that routes API calls to 100+ LLM providers and serves as the gateway for thousands of AI applications - has been compromised. Versions 1.82.7 and 1.82.8 on PyPI contain a credential-stealing payload that harvests SSH keys, cloud credentials, Kubernetes configs, crypto wallets, and API keys, encrypts them, and exfiltrates them to a lookalike domain controlled by the attackers.
The package receives approximately 97 million downloads per month. Just installing the compromised version is enough to trigger the malware. No import statement required.
If you have litellm 1.82.7 or 1.82.8 installed anywhere, stop reading and rotate your credentials now.
The Payload
The attack uses two delivery mechanisms across the two compromised versions:
Version 1.82.7 - Obfuscated payload embedded in proxy/proxy_server.py. Triggered on import.
Version 1.82.8 - A .pth file named litellm_init.pth (34,628 bytes) embedded in the wheel package. Python's site module automatically executes .pth files during interpreter initialization - meaning the malware runs the moment the package is installed, before any code imports it.
The payload uses double base64 encoding for obfuscation:
import os, subprocess, sys
subprocess.Popen([
sys.executable, "-c",
"import base64; exec(base64.b64decode('...'))"
])
Stage 1: Credential Harvesting
The decoded payload methodically harvests:
- SSH keys and configuration (
~/.ssh/) - AWS credentials (
~/.aws/credentials,~/.aws/config) - GCP credentials (service account keys, application default credentials)
- Azure credentials (CLI tokens, service principal configs)
- Kubernetes configs (
~/.kube/config) - Git credentials (
.gitconfig, credential stores) - Docker configs (
~/.docker/config.json) - Shell history (
.bash_history,.zsh_history) - Cryptocurrency wallet data (seed phrases, wallet files)
- SSL/TLS private keys
- CI/CD pipeline secrets
- LLM provider API keys (the exact credentials LiteLLM is configured to manage)
The last item is the cruelest irony: LiteLLM is an API key management gateway. The attacker targeted the one package that, by definition, has access to every LLM API key in the organization.
Stage 2: Encryption and Exfiltration
The harvested data is:
- Compressed into
tpcp.tar.gz - Encrypted with AES-256-CBC using PBKDF2 key derivation
- The session key encrypted with a hardcoded 4096-bit RSA public key
- Uploaded to
https://models.litellm.cloud/- a lookalike domain mimicking the legitimatelitellm.ai
The "tpcp" prefix in the archive filename and the domain choice are not random. The threat actor behind this is tracked as TeamPCP - the same group responsible for the Trivy supply chain compromise on March 19 and later attacks on Checkmarx and KICS GitHub Actions.
How It Happened
The attack was an account takeover. TeamPCP compromised the maintainer's credentials - either the PyPI publishing token or the GitHub account used for CI/CD releases. The compromised versions were uploaded directly to PyPI as legitimate releases.
Evidence of the account takeover: BerriAI's public GitHub repositories were defaced with "TeamPCP owns BerriAI" messages, and the GitHub issue reporting the vulnerability (#24512) was initially closed as "not planned" - likely by the attacker using the compromised account, not by the legitimate maintainers.
Discovery
User isfinne reported the vulnerability on GitHub issue #24512 after discovering the malicious .pth file in a Docker container running Ubuntu 24.04 with Python 3.13.
Developer dot_treo independently discovered the compromise when their "laptop ran out of RAM" and appeared to be running a forkbomb - the malware's process spawning had consumed all available memory.
Developer hnykda confirmed the impact: "we have been pwned by this... thousands of people are likely getting pwned right now."
User treo identified that version 1.82.7 was also compromised, with the payload embedded in proxy_server.py rather than a .pth file.
The Blast Radius
| Metric | Scale |
|---|---|
| Monthly PyPI downloads | ~97 million |
| Weekly downloads | ~22 million |
| Daily downloads | ~3.6 million |
| Known dependent projects | DSPy, CrewAI, MLflow, LangChain integrations |
| Compromised versions on PyPI | 1.82.7, 1.82.8 (now removed) |
| Credential types harvested | 12+ categories |
| Exfiltration encryption | AES-256-CBC + RSA-4096 |
The entire litellm package has been pulled from PyPI. Not just the compromised versions - the entire package. MLflow has pinned litellm to <=1.82.6 as an emergency mitigation.
What To Do Now
If you had litellm 1.82.7 or 1.82.8 installed on any system:
- Check right away:
pip show litellm | grep Version - Search for the .pth file:
find / -name "litellm_init.pth" 2>/dev/null - Rotate ALL credentials on any system that had the compromised version - SSH keys, cloud provider credentials, API keys, database passwords, Kubernetes configs
- Audit outbound connections to
models.litellm.cloudin your network logs - Downgrade to 1.82.6 or pin to a known-safe version
- Check CI/CD pipelines - any pipeline that installed litellm in the last 48 hours may have exposed secrets
- Review Docker images - any image built with
pip install litellmwithout a version pin pulled the latest compromised version
The Bigger Picture
This is the third major supply chain attack by TeamPCP in March 2026:
- March 19: Trivy (Aqua Security's vulnerability scanner) compromised, 44 repositories defaced
- March 21: Checkmarx and KICS GitHub Actions compromised
- March 24: LiteLLM compromised via maintainer account takeover
The progression is deliberate: security tools first (Trivy, Checkmarx), then AI infrastructure (LiteLLM). TeamPCP is targeting the tools that organizations trust implicitly - vulnerability scanners and API gateways - because those tools have the broadest access to credentials and infrastructure.
The GitHub malware campaign we reported on used LLM-created READMEs to distribute malware through fake repositories. This attack is more surgical: compromise one legitimate package that 97 million installs trust, and harvest credentials from every system it touches.
A credential stealer shipped in the Python package that manages API keys for 100+ LLM providers. The package downloads 97 million times a month. The malware runs on install - no import needed. It harvests every secret it can find, encrypts them with RSA-4096, and sends them to a domain designed to look like the legitimate service. The attacker is TeamPCP, the same group that compromised Trivy and Checkmarx this month. If your organization uses LiteLLM, assume your credentials are compromised and rotate everything. This isn't a drill.
Sources:
- LiteLLM Supply Chain Compromise - GitHub Issue #24512
- Tell HN: LiteLLM 1.82.7 and 1.82.8 on PyPI Are Compromised
- LiteLLM Python Package Compromised by Supply-Chain Attack - HN
- LiteLLM PyPI Download Statistics - PyPI Stats
- Trivy Hack Spreads Infostealer via Docker - The Hacker News
- TeamPCP Hacks Checkmarx GitHub Actions - The Hacker News
- 44 Aqua Security Repositories Defaced After Trivy Breach - Security Affairs
