Critical Supply Chain Attack: Malicious litellm Package Uploaded to PyPI with Credential-Stealing Malware
Key Takeaways
- ▸litellm versions 1.82.7 and 1.82.8 contain malicious .pth files that execute automatically on Python startup, executing credential theft and lateral movement malware
- ▸The three-stage attack harvests SSH keys, cloud credentials, Kubernetes configs, wallet files, and other secrets; exfiltrates them to a malicious command-and-control server; and attempts to establish persistent backdoors
- ▸The compromised packages bypassed normal GitHub release procedures and were uploaded directly to PyPI, suggesting possible account compromise or supply chain manipulation
Summary
A sophisticated supply chain attack compromised litellm versions 1.82.7 and 1.82.8 on PyPI on March 24, 2026. The malicious packages contain a .pth file that executes automatically on Python startup, deploying a three-stage malware payload that harvests sensitive credentials including SSH keys, cloud provider tokens, Kubernetes configs, and crypto wallets from infected systems. The attack also attempts lateral movement and persistence by creating backdoors in both local environments and Kubernetes clusters.
The malware operates through three distinct stages: collection of sensitive files and environment variables, exfiltration of encrypted data to a command-and-control server at models.litellm.cloud, and persistent backdoor installation on local machines and Kubernetes nodes. Security researchers discovered the compromised package when it was pulled as a transitive dependency, revealing a fork bomb bug in the malware's code. The packages appear to have been uploaded directly to PyPI bypassing normal GitHub release procedures, and the litellm maintainer's GitHub issue discussing the attack was subsequently closed and spammed with bot comments.
Affected users are advised to immediately check for and remove litellm versions 1.82.8 (and 1.82.7), purge package manager caches, check for persistence mechanisms, and rotate all potentially compromised credentials including cloud provider access keys, SSH keys, and database passwords. The incident has been reported to PyPI and the litellm development team.
- All users who installed or updated litellm after March 24, 2026 should immediately remove affected versions, purge caches, check for persistence mechanisms, and rotate all credentials
Editorial Opinion
This incident represents a critical failure in PyPI's package verification and supply chain security processes. The ability to upload malicious packages directly to PyPI that bypass GitHub's release mechanisms highlights dangerous gaps in open-source software distribution infrastructure. Organizations must immediately reassess their dependency management practices and implement stronger verification procedures, while the Python ecosystem urgently needs enhanced security controls such as mandatory code signing, package provenance verification, and automated malware scanning on PyPI.
