“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” warned the Python Packaging Authority (PyPA) following a significant supply chain attack targeting the LiteLLM software. This incident has raised serious concerns about the security of open-source software and the integrity of supply chains in the tech industry.
The attack, which involved the injection of credential-stealing code into LiteLLM through the Trivy tool in the CI/CD pipeline, led to the removal of versions 1.82.7 and 1.82.8 from the Python Package Index (PyPI) on March 24, 2026. The malicious code was embedded in the file litellm_init.pth, and the compromised versions were published at approximately 8:30 UTC.
PyPI acted swiftly, quarantining the malicious packages by 11:25 UTC on the same day. However, the damage had already been done, as the payload was designed to target sensitive information such as environment variables, SSH keys, and cloud credentials, exfiltrating this data to domains controlled by the attackers.
The threat actor, known as TeamPCP, has a history of compromising various ecosystems, including GitHub Actions and Docker Hub. This coordinated campaign is part of a broader trend targeting security tools and open-source infrastructure, raising alarms about the vulnerabilities inherent in these systems.
Gal Nagli, a security expert, commented on the situation, stating, “The open source supply chain is collapsing in on itself.” This sentiment reflects a growing concern within the tech community regarding the reliability of open-source projects, which are often seen as more vulnerable to such attacks.
In the wake of the attack, users are urged to audit their environments for the compromised LiteLLM versions and to take immediate action to revoke any exposed credentials. The Python Packaging Authority has also published a security advisory to inform users of the risks associated with the compromised software.
As the situation unfolds, experts from Endor Labs have noted, “This campaign is almost certainly not over.” The implications of this attack extend beyond just the immediate threat, as it highlights the ongoing challenges in securing software supply chains.
Details remain unconfirmed regarding the full extent of the data compromised and the potential long-term impacts on users and organizations relying on LiteLLM. With approximately 36% of cloud environments utilizing LiteLLM, the urgency for users to act cannot be overstated.
As the tech community grapples with the fallout from this incident, it serves as a stark reminder of the vulnerabilities present in modern software development and the critical need for robust security measures.