“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” warned the Python Packaging Authority (PyPA) following a serious supply chain attack on LiteLLM.
The attack, which began in late February 2026, saw malicious code injected into LiteLLM versions 1.82.7 and 1.82.8 via Trivy in the CI/CD pipeline. This code was embedded in the file litellm_init.pth and was designed to harvest sensitive information such as environment variables, SSH keys, and cloud credentials.
On March 24, 2026, at approximately 8:30 UTC, the compromised versions were published on the Python Package Index (PyPI). Just under three hours later, at 11:25 UTC, PyPI quarantined the malicious packages after identifying the threat.
TeamPCP, the threat actor behind this attack, has a history of compromising various ecosystems, including GitHub Actions and Docker Hub. Their recent statement reflects a troubling trend in security, asserting, “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke, as a result we’re gonna be around for a long time stealing terrabytes [sic] of trade secrets with our new partners.”
The attack is part of a broader coordinated campaign targeting security tools and open source infrastructure, raising alarms in the cybersecurity community. “The open source supply chain is collapsing in on itself,” noted Gal Nagli, highlighting the vulnerabilities that have emerged.
As a result of this incident, users are urged to audit their environments for the compromised LiteLLM versions and take immediate action to revoke any exposed credentials. The Python Packaging Authority has also issued a security advisory to inform users of the risks.
According to estimates, approximately 36% of cloud environments utilize LiteLLM, making the potential impact of this attack significant. Security experts warn that the campaign is likely not over, with Endor Labs stating, “This campaign is almost certainly not over.”
As investigations continue, the full extent of the damage remains to be seen. Users are advised to remain vigilant and proactive in securing their environments against further threats.
