Backdoored LiteLLM PyPI Releases Stole Secrets and Planted Kubernetes-Aware Malware
Attackers published malicious litellm versions 1.82.7 and 1.82.8 to PyPI after compromising the project’s release pipeline, turning a widely used AI gateway library into a credential-stealing malware delivery vehicle. Multiple reports link the intrusion to the broader TeamPCP supply-chain campaign and assess that stolen credentials from the earlier Trivy compromise were likely used to obtain LiteLLM publishing access. The tainted releases were available for roughly two to three hours before PyPI quarantined or yanked them, but researchers warned the exposure could be widespread because LiteLLM is heavily deployed across cloud and AI environments and was observed in about 36% of cloud environments in Wiz telemetry.
The malware harvested environment variables, cloud credentials, SSH keys, .env files, CI/CD secrets, Kubernetes tokens, database settings, Docker and Git credentials, AI provider API keys, and cryptocurrency wallet data, then encrypted and exfiltrated the data to models.litellm[.]cloud. It also established persistence through a disguised systemd service such as sysmon.service and polled checkmarx[.]zone for follow-on payloads; in Kubernetes environments, it attempted lateral movement by creating privileged pods and seeking node-level persistence. Version 1.82.8 posed the highest risk because a malicious Python .pth file executed automatically whenever the Python interpreter started, even if LiteLLM was never imported. Defenders were urged to treat any installation of either version as a full compromise, isolate affected hosts and CI jobs, remove persistence, inspect clusters and build artifacts, block attacker infrastructure, and rotate all reachable credentials immediately.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Lapsus$ claims theft of 4TB of Mercor data
On 2026-04-03, the Lapsus$ extortion group claimed it had stolen 4TB of Mercor data, including candidate profiles, PII, employer data, source code, API keys, and secrets. Mercor had not confirmed the scope or authenticity of the alleged leak, and the claim was not independently verified.
Mercor confirms security incident tied to LiteLLM compromise
On 2026-04-01, Mercor confirmed it suffered a security incident linked to the LiteLLM supply-chain attack. The company said it was among the affected firms and had contained and remediated the incident with help from external forensic experts.
Researchers map TeamPCP C2 infrastructure and 33,688 exposed LiteLLM instances
On 2026-03-27, Hunt.io reported that it had identified 33,688 internet-facing LiteLLM deployments potentially exposed to the supply-chain compromise and mapped three related TeamPCP servers. The report also disclosed a previously unreported IP address, 46.151.182.203, linked to the models.litellm.cloud exfiltration infrastructure and described AdaptixC2 and Havoc servers tied to the campaign.
Researchers report bot-driven suppression of LiteLLM GitHub disclosure
On 2026-03-26, Trend Micro reported that discussion of the LiteLLM compromise on GitHub was rapidly suppressed by apparent bot activity, suggesting TeamPCP attempted to hinder disclosure and slow incident response. The report framed this as part of the actor's broader operational security measures during the supply-chain campaign.
Community releases detection tooling for LiteLLM compromise
On 2026-03-26, community and researcher updates highlighted new detection tools and indicators for identifying LiteLLM compromise. These supplemented earlier guidance to hunt for persistence artifacts, suspicious outbound traffic, and Kubernetes abuse tied to the malware.
PyPI lifts LiteLLM quarantine after malicious versions are yanked
By 2026-03-26, PyPI had lifted the quarantine on LiteLLM after versions 1.82.7 and 1.82.8 were yanked. Even after restoration, responders continued to advise treating any installation of the affected versions as a full compromise.
Researchers tie LiteLLM compromise to TeamPCP campaign
On 2026-03-25, multiple security firms publicly linked the LiteLLM incident to TeamPCP's wider cross-ecosystem campaign spanning Trivy, Checkmarx, npm, Docker Hub, and OpenVSX. The attribution was based on shared infrastructure, malware patterns, and the credential-theft chain from the earlier Trivy breach.
LiteLLM publishes official security update
On 2026-03-25, LiteLLM published an official actively maintained security update about the compromise. Guidance across reports advised users to remove versions 1.82.7 and 1.82.8, inspect for persistence, and rotate all credentials reachable from affected hosts.
LiteLLM maintainers open incident response and engage Mandiant
By 2026-03-25, LiteLLM said it was actively investigating the compromise and working with Mandiant on forensic analysis and remediation. The project also froze new releases while the incident was being handled.
PyPI quarantines LiteLLM after brief exposure window
On 2026-03-24, PyPI quarantined the LiteLLM project and removed or yanked the malicious versions after they had been available for roughly two to three hours. Several reports warned that the package's large footprint meant many environments may still have been exposed during that window.
Analysts identify multi-stage malware in compromised LiteLLM packages
On 2026-03-24, researchers determined the malicious releases contained a credential stealer and dropper that harvested secrets, exfiltrated them to attacker infrastructure, installed persistence via systemd, and attempted Kubernetes lateral movement. Version 1.82.8 was found to be especially dangerous because a malicious .pth file executed automatically on Python startup.
Researcher publicly reports suspicious behavior in new LiteLLM releases
On 2026-03-24, a user reported that LiteLLM 1.82.7 and 1.82.8 behaved suspiciously during setup, causing severe resource exhaustion and containing a base64-encoded payload in proxy_server.py. The report referenced an upstream GitHub issue and helped surface the compromise publicly.
Malicious LiteLLM 1.82.7 and 1.82.8 uploaded to PyPI
On 2026-03-24, attackers used valid publishing access to release trojanized LiteLLM versions 1.82.7 and 1.82.8 to PyPI without corresponding upstream GitHub source changes. Reporting links the upload to a compromised maintainer or CI/CD token stolen earlier in the Trivy incident.
Attackers register LiteLLM-themed exfiltration domain
On 2026-03-23, attackers reportedly registered models.litellm.cloud to receive encrypted data stolen by the malware. The domain was designed to resemble legitimate LiteLLM traffic and was later used as the main exfiltration endpoint.
TeamPCP compromises Trivy and steals downstream CI/CD credentials
On 2026-03-19, TeamPCP's broader supply-chain campaign began with the compromise of Trivy-related CI/CD infrastructure. Multiple reports say this exposed credentials later used against downstream projects, including LiteLLM's PyPI publishing pipeline.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
47 references tracked. Mallory keeps watching after this page renders.
The LiteLLM attack was a warning shot for Agentic AI supply chains | perspective | SC Media
scworld.com
Open sourcePython Supply-Chain Compromise - Schneier on Security
schneier.com
Open sourceAI Firm Mercor Confirms Breach as Hackers Claim 4TB of Stolen Data
hackread.com
Open sourceMercor Breach Linked to LiteLLM Supply-Chain Attack
bankinfosecurity.com
Open sourcePopular litellm Python package is the latest victim of TeamPCP's ongoing supply chain attack - JFrog Security Research
research.jfrog.com
Open sourceCompromised litellm PyPI Package Delivers Multi-Stage Credential Stealer
sonatype.com
Open sourcePopular LiteLLM PyPI package compromised in TeamPCP supply chain attack
bleepingcomputer.com
Open source[Security]: litellm PyPI package (v1.82.7 + v1.82.8) compromised - full timeline and status · Issue #24518 · BerriAI/litellm
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious LiteLLM PyPI Releases Stole Cloud and Crypto Credentials
Two malicious `litellm` releases, versions `1.82.7` and `1.82.8`, were briefly published to PyPI in a supply-chain compromise that targeted developers and AI application environments. Reporting and downstream advisories said the packages contained credential-stealing malware aimed at **AWS secrets, cloud tokens, and cryptocurrency-related keys**, with exposure limited to a roughly four-hour publication window before the releases were removed. The incident was serious enough to trigger updates in the PyPA advisory database and public warnings that the affected versions should be treated as compromised. Projects that depend on LiteLLM moved quickly to contain the risk, with repositories including **OpenHands**, **MLflow**, and **dreadnode/rigging** pinning safe versions such as `litellm<=1.82.6` or otherwise blocking installation of the tainted releases. Community responders also published detection guidance and indicators of compromise tied to the malware campaign, including checks for installations of `1.82.7` and `1.82.8` and references to associated TeamPCP IoCs, while maintainers and users were urged to rotate any exposed credentials and review systems that may have installed the malicious packages.
Jun 1, 2026
LiteLLM Hit by PyPI Supply-Chain Compromise and Guardrail Sandbox Escape
Datadog Security Labs reported that the **TeamPCP** supply-chain campaign compromised the legitimate PyPI package **LiteLLM**, publishing malicious versions `1.82.7` and `1.82.8` that stole credentials, exfiltrated data, established persistence, and in some cases attempted to spread into Kubernetes environments. The campaign also hit **Telnyx** on PyPI and was linked to earlier compromises involving Trivy, npm packages, Aqua Security repositories, and Checkmarx tooling, with researchers concluding that stolen CI/CD and publishing credentials were reused across ecosystems. Datadog warned that LiteLLM `1.82.8` was especially dangerous because a malicious `.pth` file triggered payload execution when the Python interpreter started, while the Telnyx package executed code at import time and retrieved a second-stage payload hidden in a WAV file. Separately, X41 disclosed a high-severity **sandbox escape** in BerriAI LiteLLM affecting the `main-latest` Docker image, where authenticated users could reach arbitrary code execution through the `/guardrails/test_custom_code` API endpoint. The flaw relied on bypassing regex-based restrictions on custom Python guardrail code using string concatenation and CPython bytecode rewriting to recover unrestricted builtins and call `__import__`, allowing commands to run as the LiteLLM process user, which is **root** in the default Docker deployment. X41 assigned the issue **CWE-94** and a **CVSS 4.0 score of 8.7**, and Datadog advised organizations that installed the malicious LiteLLM releases to treat affected hosts and CI jobs as full credential-exposure events, rotate secrets, hunt for persistence and outbound traffic, and rebuild critical systems from known-good images rather than relying only on package rollback.
Apr 24, 2026
Malicious PyPI Packages Hit LiteLLM and PyTorch Lightning With Credential-Stealing Backdoors
Two widely used Python packages, **LiteLLM** and **PyTorch Lightning**, were distributed on PyPI with malicious code that executed during installation or import and attempted to steal credentials and establish persistence. In the LiteLLM incident, versions `1.82.7` and `1.82.8` were flagged as compromised, with maintainers and downstream projects warning that a `litellm_init.pth` file contained data-exfiltration malware that sent information to `models.litellm.cloud`. Public advisories and community tooling were released to help users determine whether their machines had been affected, while third-party analysis described the package as combining credential theft with a persistent backdoor. In the PyTorch Lightning incident, version `2.6.3` on PyPI was found to trigger a hidden execution chain as soon as the package was imported, launching a background process that downloaded the **Bun** runtime from GitHub and ran an obfuscated JavaScript payload named `router_runtime.js`. Microsoft Threat Intelligence said Defender detected and blocked the activity, tracked as **ShaiWorm**, and reported that only a small number of devices in a narrow set of environments were affected. The malware targeted browser data, `.env` files, API keys, GitHub tokens, and cloud credentials across **AWS**, **Azure**, and **GCP**, and also supported arbitrary command execution; Lightning AI reverted the package to `2.6.1`, urged anyone who imported `2.6.3` to rotate all secrets immediately, and said it is investigating a possible compromise of its build or release pipeline.
May 25, 2026