Critical Security Alert: LiteLLM Compromised with Massive Credential Stealer on PyPI
News/2026-03-25-critical-security-alert-litellm-compromised-with-massive-credential-stealer-on-p
Cybersecurity AI Breaking NewsMar 25, 20265 min read
Verified·Single source

Critical Security Alert: LiteLLM Compromised with Massive Credential Stealer on PyPI

Practical focus

Detect threats and suspicious behavior

Guideline angle

Using AI in SOC workflows

Critical Security Alert: LiteLLM Compromised with Massive Credential Stealer on PyPI
  • What: A supply chain attack targeting the LiteLLM Python package versions 1.82.7 and 1.82.8.
  • Payload: A malicious credential stealer targeting SSH keys, cloud tokens, and crypto wallets.
  • Infection Vector: Compromised PyPI credentials likely stolen via an exploit in the Trivy security scanner.
  • Risk Level: Critical—Version 1.82.8 executes automatically upon any Python startup without requiring a library import.
  • Action Required: Immediate deletion of affected versions and mandatory rotation of all system credentials.

A massive supply chain attack has compromised LiteLLM, a popular library for connecting to multiple AI models, turning versions 1.82.7 and 1.82.8 into potent credential stealers. The breach, discovered on March 24, 2026, allows attackers to exfiltrate a vast array of sensitive data, including AWS tokens, SSH keys, and cryptocurrency wallets, from any machine where the infected package was installed.

The incident has sent shockwaves through the AI development community, as LiteLLM is widely used by developers to manage API calls across various Large Language Models (LLMs). According to reports from Simon Willison and official GitHub security issues, the PyPI (Python Package Index) repository has already quarantined the package, but the window for compromise remained open for several hours.

The "Nasty" Mechanism: Execution Without Import

The most alarming aspect of the breach involves version 1.82.8. Unlike typical malicious packages that require a user to run import litellm to trigger a payload, this version utilizes a malicious litellm_init.pth file.

In the Python ecosystem, .pth files are executed every time the Python interpreter starts. This means that simply installing the package via pip install is enough to compromise the host system. The malicious file, which is approximately 34,628 bytes, contains a base64-encoded script that harvests credentials silently in the background.

By contrast, version 1.82.7 contained the exploit within the proxy/proxy_server.py file. While still dangerous, it required the package or the proxy server to be actively imported or run for the credential theft to occur.

A "Bewildering Array" of Stolen Secrets

Once triggered, the script "hoovered up" a comprehensive list of sensitive directories and configuration files. Security researchers have identified that the stealer specifically targets the following locations on a user's machine:

  • Cloud & Infrastructure: ~/.aws/, ~/.azure/, ~/.kube/, ~/.docker/, and ~/.vault-token.
  • Access & Authentication: ~/.ssh/, ~/.gitconfig, ~/.git-credentials, ~/.npmrc, and ~/.netrc.
  • System History: ~/.bash_history, ~/.zsh_history, and ~/.sh_history.
  • Database Credentials: ~/.my.cnf, ~/.pgpass, ~/.mongorc.js, ~/.mysql_history, ~/.psql_history, and ~/.rediscli_history.
  • Cryptocurrency Wallets: A wide range of wallets including Bitcoin, Ethereum, Litecoin, Dogecoin, Zcash, Dashcore, Ripple, Monero, and Cardano.

Beyond simple theft, reports from FutureSearch.ai indicate that the malicious script also attempts lateral movement across Kubernetes clusters, potentially escalating a single developer's machine compromise into a full-scale corporate infrastructure breach.

Irony in the Supply Chain: The Trivy Connection

The source of the compromise appears to be an exploit against Trivy, a popular security scanner tool ironically used by LiteLLM in its Continuous Integration (CI) pipeline.

According to Simon Willison's report, the Trivy exploit likely resulted in the theft of LiteLLM’s PyPI publishing credentials. The attackers then used these credentials to directly publish the compromised 1.82.7 and 1.82.8 wheels to the official repository, bypassing standard code review processes. This highlights a growing trend in "security-tool-originated" attacks, where the very software meant to protect the supply chain becomes the entry point for hackers.

Impact: "Rotate Your Credentials Now"

The impact of this breach is catastrophic for any developer or organization that updated their LiteLLM package during the infection window. Because the script targets shell histories and .netrc files, even passwords and tokens not explicitly stored in dedicated credential folders may have been compromised.

"If you have litellm 1.82.7 or 1.82.8 installed anywhere, stop reading and rotate your credentials now," warned a security advisory from Awesome Agents.

For developers, this means:

  1. Running pip show litellm to check the installed version.
  2. If on an affected version, immediately wiping the environment.
  3. Generating new SSH keys and rotating API keys for AWS, Azure, and Google Cloud.
  4. Resetting database passwords and moving funds from any potentially exposed crypto wallets.

The pull quote for this event is clear: "The fact that this was a .pth file is particularly nasty; installation alone turned your machine into an open book for attackers."

Industry Landscape and What's Next

This attack places LiteLLM and its maintainers at BerriAI in a difficult position as they work to restore trust. While the package has been quarantined and newer, safe versions are expected to be released, the breach underscores the fragility of the Python packaging ecosystem.

The industry is likely to see a renewed push for more robust PyPI security measures, such as mandatory hardware-based Multi-Factor Authentication (MFA) for all high-traffic packages and better sandboxing for the installation process to prevent .pth file abuse.

For the AI industry, which relies heavily on a complex web of open-source libraries, this serves as a stark reminder that the tools enabling the AI revolution are also high-value targets for sophisticated supply chain actors. Developers are urged to pin their dependencies to known-good versions and monitor CI/CD logs for unauthorized package publications.

Sources

Original Source

simonwillison.net

Comments

No comments yet. Be the first to share your thoughts!

LiteLLM Security Alert: Malicious PyPI Package Discovered | Pikka AI News