Malicious PyPI Packages Hit LiteLLM and PyTorch Lightning With Credential-Stealing Backdoors
Two widely used Python packages, LiteLLM and PyTorch Lightning, were distributed on PyPI with malicious code that executed during installation or import and attempted to steal credentials and establish persistence. In the LiteLLM incident, versions 1.82.7 and 1.82.8 were flagged as compromised, with maintainers and downstream projects warning that a litellm_init.pth file contained data-exfiltration malware that sent information to models.litellm.cloud. Public advisories and community tooling were released to help users determine whether their machines had been affected, while third-party analysis described the package as combining credential theft with a persistent backdoor.
In the PyTorch Lightning incident, version 2.6.3 on PyPI was found to trigger a hidden execution chain as soon as the package was imported, launching a background process that downloaded the Bun runtime from GitHub and ran an obfuscated JavaScript payload named router_runtime.js. Microsoft Threat Intelligence said Defender detected and blocked the activity, tracked as ShaiWorm, and reported that only a small number of devices in a narrow set of environments were affected. The malware targeted browser data, .env files, API keys, GitHub tokens, and cloud credentials across AWS, Azure, and GCP, and also supported arbitrary command execution; Lightning AI reverted the package to 2.6.1, urged anyone who imported 2.6.3 to rotate all secrets immediately, and said it is investigating a possible compromise of its build or release pipeline.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
SafeDep publishes technical analysis of malicious LiteLLM 1.82.8
SafeDep released a detailed analysis describing LiteLLM 1.82.8 as a credential-stealing persistent backdoor, adding technical detail to the earlier disclosure of the PyPI supply-chain attack.
Lightning AI warned of possible supply-chain attack in version 2.6.3
A public GitHub issue disclosed that PyTorch Lightning 2.6.3 on PyPI appeared backdoored, recommending that the release be yanked and that the build or release pipeline be investigated for compromise.
Lightning AI reverts PyTorch Lightning package and urges secret rotation
After the malicious 2.6.3 release was identified, Lightning AI reverted the PyPI package to version 2.6.1, advised anyone who imported 2.6.3 to rotate all secrets immediately, and began investigating a possible build or release pipeline compromise.
Microsoft detects and blocks ShaiWorm activity from malicious Lightning package
Microsoft Threat Intelligence said Defender detected and blocked the malicious activity associated with the backdoored PyTorch Lightning package, which it tracks as ShaiWorm, and reported only a small number of affected devices in a narrow set of environments.
PyTorch Lightning 2.6.3 malicious behavior verified
A reporter stated that the PyPI wheel for lightning version 2.6.3 was verified on April 30, 2026 to contain a hidden execution chain that downloaded Bun and ran an obfuscated JavaScript payload with credential-theft and exfiltration capabilities.
Detector released for LiteLLM compromise
A GitHub tool was published to help users determine whether their machines were compromised by the malicious LiteLLM 1.82.7/1.82.8 packages.
Malicious LiteLLM packages 1.82.7/1.82.8 disclosed on PyPI
Multiple project and GitHub references published on March 24, 2026 reported that LiteLLM versions 1.82.7 and 1.82.8 on PyPI were compromised in a supply-chain attack and contained data-exfiltration malware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Malicious litellm 1.82.8: Credential Theft and Persistent Backdoor - Real-time Open Source Software Supply Chain Security
safedep.io
Open sourcePossible supply chain attack on version 2.6.3 · Issue #21689 · Lightning-AI/pytorch-lightning
github.com
Open sourceBackdoored PyTorch Lightning package drops credential stealer
bleepingcomputer.com
Open source[Notice] LiteLLM Supply Chain Attack · Issue #9500 · stanfordnlp/dspy
github.com
Open sourceSecurity: litellm_init.pth contains data-exfiltration malware (exfiltrates to models.litellm.cloud) · Issue #24515 · BerriAI/litellm
github.com
Open sourceGitHub - jthack/litellm-vuln-detector: Detect if your machine was compromised by the litellm 1.82.7/1.82.8 PyPI supply chain attack (March 24, 2026) · GitHub
github.com
Open sourceLiteLLM on PyPI is compromised [LWN.net]
lwn.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious LiteLLM PyPI Releases Stole Cloud and Crypto Credentials
Two malicious `litellm` releases, versions `1.82.7` and `1.82.8`, were briefly published to PyPI in a supply-chain compromise that targeted developers and AI application environments. Reporting and downstream advisories said the packages contained credential-stealing malware aimed at **AWS secrets, cloud tokens, and cryptocurrency-related keys**, with exposure limited to a roughly four-hour publication window before the releases were removed. The incident was serious enough to trigger updates in the PyPA advisory database and public warnings that the affected versions should be treated as compromised. Projects that depend on LiteLLM moved quickly to contain the risk, with repositories including **OpenHands**, **MLflow**, and **dreadnode/rigging** pinning safe versions such as `litellm<=1.82.6` or otherwise blocking installation of the tainted releases. Community responders also published detection guidance and indicators of compromise tied to the malware campaign, including checks for installations of `1.82.7` and `1.82.8` and references to associated TeamPCP IoCs, while maintainers and users were urged to rotate any exposed credentials and review systems that may have installed the malicious packages.
Jun 25, 2026
Backdoored LiteLLM PyPI Releases Stole Secrets and Targeted Kubernetes Clusters
Malicious versions `1.82.7` and `1.82.8` of the widely used `litellm` Python package were uploaded to PyPI after attackers used compromised publishing access, turning a popular AI gateway library into a supply-chain malware delivery vehicle. Researchers and project maintainers said the tainted code was absent from the upstream GitHub repository, indicating the compromise occurred in the release pipeline or during package publication. The malware executed on import in `1.82.7`, while `1.82.8` added a `litellm_init.pth` file that triggered on every Python interpreter startup, greatly expanding exposure even beyond direct use of the package. PyPI removed or quarantined the malicious releases, and `1.82.6` was identified as the last known clean version. The payload harvested a broad range of secrets, including cloud credentials, SSH keys, API tokens, Kubernetes service-account tokens, database and CI/CD secrets, `.env` files, shell histories, TLS keys, and cryptocurrency wallet data, then encrypted and exfiltrated the data to attacker-controlled infrastructure including `models.litellm.cloud`. Multiple reports said the malware also attempted Kubernetes lateral movement by enumerating clusters, dumping secrets, and deploying privileged pods across nodes, while establishing Linux persistence through a disguised `systemd` user service that contacted `checkmarx.zone` for follow-on payloads. Researchers linked the intrusion with high confidence to **TeamPCP**, tying it to the earlier Trivy compromise and a broader campaign spanning GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI; organizations that installed and ran the affected versions were urged to assume full credential compromise, rotate secrets, inspect for persistence, and review Kubernetes environments for rogue activity.
Jun 15, 2026
PromptMink npm campaign and malicious lightning releases hit developer supply chains
ReversingLabs disclosed a long-running npm supply chain campaign dubbed **PromptMink** that inserted malicious dependencies into software projects, including the open-source crypto trading agent `openpaw-graveyard`. In one highlighted case, a commit co-authored by Anthropic’s Claude Opus added `@solana-launchpad/sdk`, which pulled in the malicious `@validate-sdk/v2` payload. Researchers said the operation has run for more than seven months across over 60 malicious packages and 300 versions, using benign-looking first-stage packages to hide disposable second-stage malware. The payloads stole credentials, sensitive files, cryptocurrency-related data, and in some Linux cases installed attacker SSH keys for persistence; later Rust variants also exfiltrated full project directories and source code. ReversingLabs linked the activity to **Famous Chollima**, a North Korea-linked group associated with Contagious Interview. Separately, Socket reported that the widely used PyPI package **`lightning`** was compromised in versions `2.6.2` and `2.6.3`, while `2.6.1` remained clean. The malicious releases reportedly executed on import, unpacked a hidden `_runtime` directory, downloaded Bun from GitHub, and launched an obfuscated JavaScript payload aimed at stealing GitHub, npm, and cloud credentials, abusing GitHub APIs, poisoning repositories, and infecting developer npm package tarballs. Because `lightning` is heavily used in developer workstations, CI/CD pipelines, and cloud build environments, researchers warned that any system that installed and imported the affected versions should be treated as compromised, with exposed credentials rotated and repositories and build systems investigated for follow-on abuse.
May 1, 2026