LiteLLM Hit by PyPI Supply-Chain Compromise and Guardrail Sandbox Escape
Datadog Security Labs reported that the TeamPCP supply-chain campaign compromised the legitimate PyPI package LiteLLM, publishing malicious versions 1.82.7 and 1.82.8 that stole credentials, exfiltrated data, established persistence, and in some cases attempted to spread into Kubernetes environments. The campaign also hit Telnyx on PyPI and was linked to earlier compromises involving Trivy, npm packages, Aqua Security repositories, and Checkmarx tooling, with researchers concluding that stolen CI/CD and publishing credentials were reused across ecosystems. Datadog warned that LiteLLM 1.82.8 was especially dangerous because a malicious .pth file triggered payload execution when the Python interpreter started, while the Telnyx package executed code at import time and retrieved a second-stage payload hidden in a WAV file.
Separately, X41 disclosed a high-severity sandbox escape in BerriAI LiteLLM affecting the main-latest Docker image, where authenticated users could reach arbitrary code execution through the /guardrails/test_custom_code API endpoint. The flaw relied on bypassing regex-based restrictions on custom Python guardrail code using string concatenation and CPython bytecode rewriting to recover unrestricted builtins and call __import__, allowing commands to run as the LiteLLM process user, which is root in the default Docker deployment. X41 assigned the issue CWE-94 and a CVSS 4.0 score of 8.7, and Datadog advised organizations that installed the malicious LiteLLM releases to treat affected hosts and CI jobs as full credential-exposure events, rotate secrets, hunt for persistence and outbound traffic, and rebuild critical systems from known-good images rather than relying only on package rollback.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Gurucul identifies Mercor as downstream victim of LiteLLM compromise
Gurucul reported that the malicious LiteLLM supply-chain compromise impacted downstream users, including Mercor, where the compromised dependency enabled unauthorized data access and possible command execution. The report framed Mercor as a case study of the breach's downstream effects.
Malicious Telnyx releases 4.87.1 and 4.87.2 published to PyPI
Attackers also compromised the legitimate Telnyx Python package on PyPI, publishing malicious versions 4.87.1 and 4.87.2. The package executed malicious code at import time and retrieved a second-stage payload concealed in a WAV file.
Datadog links LiteLLM and Telnyx compromises to TeamPCP campaign
Datadog Security Research reported that the PyPI compromises of LiteLLM and Telnyx were part of the broader TeamPCP supply-chain campaign, which had previously affected Trivy, npm packages, Aqua Security repositories, and Checkmarx tooling. The report said stolen CI/CD and publishing credentials were reused across ecosystems to expand the campaign.
Malicious LiteLLM releases 1.82.7 and 1.82.8 published to PyPI
As part of the TeamPCP supply-chain campaign, attackers compromised the legitimate LiteLLM package on PyPI and published malicious versions 1.82.7 and 1.82.8. Datadog assessed version 1.82.8 as especially dangerous because a malicious .pth file triggered payload execution at Python interpreter startup.
X41 publicly discloses unpatched LiteLLM RCE vulnerability
X41 D-Sec published advisory X41-2026-001 describing a LiteLLM sandbox escape that could lead to arbitrary code execution as the LiteLLM process user, which is root by default in the affected Docker image. At publication, no patch was available.
X41 reports LiteLLM guardrail sandbox escape to vendor
According to the advisory's disclosure timeline, X41 D-Sec privately reported a high-severity sandbox escape in LiteLLM's /guardrails/test_custom_code endpoint in February 2026. The flaw allowed authenticated users to bypass source filtering and achieve arbitrary code execution in the default Docker deployment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
LiteLLM Supply Chain Compromise: Downstream Impact Analysis with Mercor Breach Case Study | Community Portal | Gurucul
community.gurucul.com
Open sourceDeep Analysis: The LiteLLM Supply Chain Poisoning Incident - A Full-Link Analysis of the TeamPCP Three-Stage Backdoor - Alibaba Cloud Community
alibabacloud.com
Open sourceLiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP supply chain campaign | Datadog Security Labs
securitylabs.datadoghq.com
Open sourceoss-sec: X41 Advisory X41-2026-001: Guardrail Sandbox Escape in LiteLLM
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoored LiteLLM PyPI Releases Stole Secrets and Targeted Kubernetes Clusters
Malicious versions `1.82.7` and `1.82.8` of the widely used `litellm` Python package were uploaded to PyPI after attackers used compromised publishing access, turning a popular AI gateway library into a supply-chain malware delivery vehicle. Researchers and project maintainers said the tainted code was absent from the upstream GitHub repository, indicating the compromise occurred in the release pipeline or during package publication. The malware executed on import in `1.82.7`, while `1.82.8` added a `litellm_init.pth` file that triggered on every Python interpreter startup, greatly expanding exposure even beyond direct use of the package. PyPI removed or quarantined the malicious releases, and `1.82.6` was identified as the last known clean version. The payload harvested a broad range of secrets, including cloud credentials, SSH keys, API tokens, Kubernetes service-account tokens, database and CI/CD secrets, `.env` files, shell histories, TLS keys, and cryptocurrency wallet data, then encrypted and exfiltrated the data to attacker-controlled infrastructure including `models.litellm.cloud`. Multiple reports said the malware also attempted Kubernetes lateral movement by enumerating clusters, dumping secrets, and deploying privileged pods across nodes, while establishing Linux persistence through a disguised `systemd` user service that contacted `checkmarx.zone` for follow-on payloads. Researchers linked the intrusion with high confidence to **TeamPCP**, tying it to the earlier Trivy compromise and a broader campaign spanning GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI; organizations that installed and ran the affected versions were urged to assume full credential compromise, rotate secrets, inspect for persistence, and review Kubernetes environments for rogue activity.
Jun 15, 2026
Malicious LiteLLM PyPI Releases Stole Cloud and Crypto Credentials
Two malicious `litellm` releases, versions `1.82.7` and `1.82.8`, were briefly published to PyPI in a supply-chain compromise that targeted developers and AI application environments. Reporting and downstream advisories said the packages contained credential-stealing malware aimed at **AWS secrets, cloud tokens, and cryptocurrency-related keys**, with exposure limited to a roughly four-hour publication window before the releases were removed. The incident was serious enough to trigger updates in the PyPA advisory database and public warnings that the affected versions should be treated as compromised. Projects that depend on LiteLLM moved quickly to contain the risk, with repositories including **OpenHands**, **MLflow**, and **dreadnode/rigging** pinning safe versions such as `litellm<=1.82.6` or otherwise blocking installation of the tainted releases. Community responders also published detection guidance and indicators of compromise tied to the malware campaign, including checks for installations of `1.82.7` and `1.82.8` and references to associated TeamPCP IoCs, while maintainers and users were urged to rotate any exposed credentials and review systems that may have installed the malicious packages.
Jun 25, 2026
Malicious PyPI Packages Hit LiteLLM and PyTorch Lightning With Credential-Stealing Backdoors
Two widely used Python packages, **LiteLLM** and **PyTorch Lightning**, were distributed on PyPI with malicious code that executed during installation or import and attempted to steal credentials and establish persistence. In the LiteLLM incident, versions `1.82.7` and `1.82.8` were flagged as compromised, with maintainers and downstream projects warning that a `litellm_init.pth` file contained data-exfiltration malware that sent information to `models.litellm.cloud`. Public advisories and community tooling were released to help users determine whether their machines had been affected, while third-party analysis described the package as combining credential theft with a persistent backdoor. In the PyTorch Lightning incident, version `2.6.3` on PyPI was found to trigger a hidden execution chain as soon as the package was imported, launching a background process that downloaded the **Bun** runtime from GitHub and ran an obfuscated JavaScript payload named `router_runtime.js`. Microsoft Threat Intelligence said Defender detected and blocked the activity, tracked as **ShaiWorm**, and reported that only a small number of devices in a narrow set of environments were affected. The malware targeted browser data, `.env` files, API keys, GitHub tokens, and cloud credentials across **AWS**, **Azure**, and **GCP**, and also supported arbitrary command execution; Lightning AI reverted the package to `2.6.1`, urged anyone who imported `2.6.3` to rotate all secrets immediately, and said it is investigating a possible compromise of its build or release pipeline.
May 25, 2026