“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” warned the Python Packaging Authority (PyPA) following a significant supply chain attack on LiteLLM.
Versions 1.82.7 and 1.82.8 of LiteLLM were removed from the Python Package Index (PyPI) after it was discovered that a malicious code injection had occurred via Trivy in the CI/CD pipeline. The compromised versions were published on March 24, 2026, at approximately 8:30 UTC, with PyPI quarantining the malicious packages just under three hours later at 11:25 UTC.
The attack, which began in late February 2026, involved embedding credential-stealing code in the file litellm_init.pth. This malware targets environment variables, SSH keys, cloud credentials, and more, exfiltrating the harvested data to domains controlled by the attackers.
TeamPCP, the threat actor behind this attack, has a history of compromising various ecosystems, including GitHub Actions and Docker Hub. They have openly mocked the security measures of companies designed to protect supply chains, stating, “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke.”
Gal Nagli, a security expert, commented on the broader implications, stating, “The open source supply chain is collapsing in on itself.” This attack is part of a coordinated campaign targeting security tools and open-source infrastructure, raising alarms across the tech community.
Users are urgently advised to audit their environments for the compromised LiteLLM versions and to revoke any exposed credentials. The Python Packaging Authority has also issued a security advisory regarding the compromise, emphasizing the need for immediate action.
As the situation develops, Endor Labs has indicated that “This campaign is almost certainly not over.” The ongoing threat highlights the vulnerabilities within the open-source ecosystem, necessitating heightened vigilance from developers and organizations alike.
