Critical Supply Chain Attack: LiteLLM PyPI Compromise Exposes Millions of Developers
Key Takeaways
- ▸LiteLLM versions 1.82.7 and 1.82.8 contain backdoored code; version 1.82.6 is the last known safe release
- ▸The attack chain originated from Trivy security scanner compromise, highlighting the interconnected vulnerabilities in modern CI/CD ecosystems
- ▸Malicious payload uses three-stage attack: credential harvesting, lateral movement, and persistent backdoor installation via systemd and .pth files
Summary
On March 24, 2026, threat actors compromised the PyPI publishing credentials for LiteLLM, a widely-used open-source library with 95 million monthly downloads that routes requests across various LLM providers. The attackers, identified as "TeamPCP," published two backdoored versions (1.82.7 and 1.82.8) containing malicious code designed to harvest credentials, attempt lateral movement across Kubernetes clusters, and install persistent systemd backdoors. The compromise originated from an earlier breach of the Trivy security scanner, which was integrated into LiteLLM's CI/CD pipeline and inadvertently exfiltrated the project's PyPI publishing tokens.
The malicious payload operated in three stages: first harvesting credentials for AI providers (OpenAI, Anthropic, Azure) and cloud services; second attempting lateral movement across infrastructure; and third establishing persistence through a systemd backdoor that polls for additional payloads. The attack was detected within hours when a security researcher's machine crashed due to a "fork bomb" side effect, prompting PyPI administrators to quarantine the entire package and remove malicious versions by 1:38 PM the same day. This incident marks a significant escalation in supply chain attacks, shifting from CI/CD pipeline compromise to downstream delivery of poisoned libraries reaching millions of end users and production environments.
- With 95 million monthly downloads, the blast radius potentially affects millions of developers and production AI systems
- Organizations must immediately audit development and production environments for the compromised versions and review exfiltrated credentials
Editorial Opinion
This incident represents a concerning evolution in supply chain attacks, demonstrating how breaches can cascade from security tools themselves to the libraries they're meant to protect. The shift from attacking the build process to poisoning libraries delivered to end users represents a new threat vector that the AI and open-source communities must take seriously. The rapid detection and response by PyPI was commendable, but the incident underscores the urgent need for better transparency in dependency chains and enhanced security practices for open-source maintainers managing critical infrastructure libraries.
