Supply chain attack on LiteLLM: Affected parties should change credentials
An attack on the open-source library for connecting to LLMs has apparently occurred, allowing two compromised packages to steal credentials.
(Image: solarseven / Shutterstock.com)
The LiteLLM development team has announced a security attack: two LiteLLM packages in the Python Package Index (PyPI) were reportedly compromised and equipped with a credential stealer. The LiteLLM team explains how developers can find out if they are affected and what next steps they should take immediately.
LiteLLM is an open-source library that can be called via a proxy server or Python SDK. It offers a unified interface for calling over 100 large language models, for example from OpenAI or Anthropic.
Supply chain attack on two LiteLLM packages
The two LiteLLM packages in versions 1.82.7 and 1.82.8 were apparently compromised and equipped with a credential stealer. This is designed to steal data and searches for SSH keys, environment variables, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, and database passwords. According to Endor Labs, the payload is three-tiered: it steals credentials, attempts to penetrate Kubernetes clusters laterally, and installs a persistent systemd backdoor. According to the security company Snyk, which is monitoring the case, LiteLLM records around 3.4 million downloads daily.
Videos by heise
According to Snyk, the compromised packages were uploaded by the attacker TeamPCP after they had obtained the maintainer's credentials through a previous attack on Trivy. Trivy is an open-source security scanner used in LiteLLM's CI/CD pipeline. According to the security software provider Endor Labs, TeamPCP has been attacking since the end of February and is apparently moving from one project to the next using the stolen credentials.
Affected parties should act immediately
The two LiteLLM packages have since been removed from PyPI, but were reportedly available for download for several hours (on March 24, 2026, between 10:39 UTC and 16:00 UTC). Assuming LiteLLM records around 3.4 million downloads daily, the projections circulating online that several hundred thousand systems could be affected are quite realistic.
Anyone who has downloaded one of the affected packages should immediately follow LiteLLM's recommendations. This includes considering all secrets on the system as compromised and rotating them. Furthermore, the file system should be checked and an audit of the version history should be carried out to uncover all locations where the packages were installed. In addition, email addresses and a Slack channel are available for affected parties to contact the LiteLLM team directly.
The LiteLLM blog lists how to determine if the malicious packages are on the system. Developers using the official LiteLLM proxy Docker image are not affected by the attack. New LiteLLM releases are currently paused until the development team can confirm the security of the release path.
(mai)
