Critical Supply Chain Attack: Malicious LiteLLM Versions 1.82.7 and 1.82.8 Steal Credentials and Install Backdoors
Key Takeaways
- ▸LiteLLM versions 1.82.7 and 1.82.8 contain malicious payloads exfiltrating credentials, SSH keys, cloud secrets, and cryptocurrency wallets to attacker-controlled infrastructure
- ▸Version 1.82.8 is particularly dangerous due to its .pth file mechanism that executes on Python interpreter startup without requiring module imports
- ▸The attack originated from a compromised Trivy security scanner binary installed via unversioned apt repository access, highlighting critical supply chain vulnerabilities in CI/CD pipelines
Summary
Two compromised versions of the popular Python library LiteLLM were published to PyPI on March 24, 2026, containing sophisticated malware designed to steal sensitive credentials and establish persistent backdoors. Version 1.82.7 embeds credential-stealing payloads in the proxy module, while version 1.82.8 escalates the attack by adding a malicious .pth file that executes automatically when Python starts, requiring no import trigger. Both variants exfiltrate SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes secrets, cryptocurrency wallet files, and environment variables to attacker-controlled servers.
The compromise appears to stem from a downstream supply chain attack originating from a poisoned Trivy security scanner binary. LiteLLM's CI/CD pipeline installed Trivy from the apt repository without version pinning, allowing the malicious binary to execute with full CI runner privileges and steal PyPI publishing credentials. The attacker then used these stolen credentials to publish the malicious versions directly to PyPI, bypassing normal security checks. On Kubernetes clusters, the malware creates privileged pods across all nodes for lateral movement, while on all systems it installs a persistent systemd service that polls a command-and-control server for arbitrary binary execution.
- The malware establishes multiple persistence mechanisms including systemd services, Kubernetes privileged pods, and C2 polling capabilities for arbitrary code execution
- Neither compromised version corresponds to official GitHub releases, indicating direct PyPI credential compromise rather than source repository access
Editorial Opinion
This incident represents a particularly dangerous evolution in software supply chain attacks, demonstrating how a seemingly minor security tool dependency can become an attack vector with devastating consequences. The fact that unversioned package management in CI/CD pipelines enabled full system compromise should serve as a wake-up call for the entire AI developer community—LiteLLM's widespread adoption across 100+ LLM integrations means this malware potentially affected thousands of organizations and applications. This breach underscores why AI development teams must implement strict supply chain security practices, including dependency pinning, signed releases, and software composition analysis, especially when handling credentials with production access.
