LiteLLM Supply Chain Attack: What Happened, Who’s Affected, and What You Should Do Right Now

2026-03-24 · Source: Comet · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Intermediate, medium

Summary

On March 24, 2026, the Python package litellm, a critical dependency for numerous AI agent frameworks with 95 million monthly downloads, was subjected to a supply chain attack. An attacker compromised the maintainer's PyPI credentials and published two malicious versions, 1.82.7 and 1.82.8. Version 1.82.7 contained a payload in `litellm/proxy/proxy_server.py`, while version 1.82.8 utilized a `.pth` file (`litellm_init.pth`) for automatic execution upon any Python interpreter startup. The malicious code, double base64-encoded, harvested a wide array of credentials including environment variables, cloud keys (AWS, GCP, Azure), SSH keys, Kubernetes configs, Git credentials, Docker configs, database credentials, CI/CD secrets, and shell histories. This data was encrypted with AES-256-CBC and exfiltrated to `models.litellm.cloud`, a domain registered shortly before the attack. The exposure window lasted approximately four hours, primarily impacting CI/CD pipelines and any environments that installed or upgraded litellm or its direct dependencies like CrewAI or DSPy during this period.

Key takeaway

For AI Engineers and ML teams managing Python environments, immediately check all your virtual environments and CI/CD pipelines for litellm versions 1.82.7 or 1.82.8. If affected, stop using the environment, delete and recreate it, and rotate all credentials present on the machine. Implement strict dependency pinning (e.g., `litellm==1.82.6`) and use lockfiles to prevent similar supply chain vulnerabilities from impacting your stack.

Key insights

A litellm supply chain attack compromised PyPI, exfiltrating credentials via malicious package versions.

Principles

• `.pth` files enable automatic Python payload execution.
• CI/CD pipelines are high-risk targets for credential theft.
• Lockfiles and exact version pinning enhance supply chain security.

Method

The attack involved compromising PyPI credentials, publishing malicious package versions (1.82.7, 1.82.8), embedding payloads in `proxy_server.py` or using `.pth` files for auto-execution, and exfiltrating encrypted credentials to an attacker-controlled domain.

In practice

• Scan all Python environments for litellm versions 1.82.7 or 1.82.8.
• Use `poetry.lock` or `uv.lock` for dependency management.
• Pin GitHub Actions to SHAs, not tags.

Topics

• Supply Chain Attack
• Python Package Security
• Credential Harvesting
• AI Agent Frameworks
• CI/CD Security

Code references

• BerriAI/litellm

Best for: AI Engineer, Machine Learning Engineer, AI Security Engineer

Related on AIssential

• How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM — Compromised CI/CD tools can enable supply chain attacks by exfiltrating publisher credentials to inject malicious code into legitimate packages.
• PyPI supply chain attack impacts data/ML pipelines (elementary-data) — A GitHub Actions flaw led to a PyPI supply chain attack using a ".pth" file for stealthy code execution.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• Delve did the security compliance on LiteLLM, an AI project hit by malware — Open-source projects face significant supply chain risks, even with security certifications.
• Your GitHub Token Is Now Worth More Than Your AWS Key — AI developers' credentials are now the primary target in supply chain attacks, shifting security focus from models to development environments.
• Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering — AI supply chain security gaps in release pipelines pose a greater threat than model-specific vulnerabilities.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Comet.