Malicious LiteLLM PyPI Releases Stole Cloud and Crypto Credentials
Two malicious litellm releases, versions 1.82.7 and 1.82.8, were briefly published to PyPI in a supply-chain compromise that targeted developers and AI application environments. Reporting and downstream advisories said the packages contained credential-stealing malware aimed at AWS secrets, cloud tokens, and cryptocurrency-related keys, with exposure limited to a roughly four-hour publication window before the releases were removed. The incident was serious enough to trigger updates in the PyPA advisory database and public warnings that the affected versions should be treated as compromised.
Projects that depend on LiteLLM moved quickly to contain the risk, with repositories including OpenHands, MLflow, and dreadnode/rigging pinning safe versions such as litellm<=1.82.6 or otherwise blocking installation of the tainted releases. Community responders also published detection guidance and indicators of compromise tied to the malware campaign, including checks for installations of 1.82.7 and 1.82.8 and references to associated TeamPCP IoCs, while maintainers and users were urged to rotate any exposed credentials and review systems that may have installed the malicious packages.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Further public alert notes limited impact and four-hour exposure window
A later public security alert reiterated that LiteLLM versions 1.82.7 and 1.82.8 were malicious, emphasizing a four-hour publication window and limited impact. This reflects continued disclosure and clarification of the incident's scope.
Detector and TeamPCP IoCs released for compromised LiteLLM versions
A public GitHub Gist released a detector for identifying compromised LiteLLM versions 1.82.7 and 1.82.8 and shared TeamPCP indicators of compromise. This gave defenders a way to check environments for exposure.
OX Security publishes analysis of credential-stealing LiteLLM malware
OX Security published a blog post describing the malicious LiteLLM packages and their theft of AWS and crypto credentials. The write-up provided broader public reporting and technical context on the supply-chain attack.
PyPA advisory database updated with malware details
A pull request to the PyPA advisory database added additional details about the malicious LiteLLM packages. This formalized public tracking of the incident in Python package security advisories.
Projects pin or restrict LiteLLM to safe versions
Multiple downstream projects, including OpenHands, dreadnode/rigging, and MLflow, updated dependencies to pin LiteLLM to 1.82.6 or earlier to mitigate the supply-chain compromise. These changes indicate active defensive response by affected maintainers.
Malicious LiteLLM 1.82.7 and 1.82.8 packages published to PyPI
Attackers published compromised LiteLLM versions 1.82.7 and 1.82.8 to PyPI in a short roughly four-hour window. The malicious packages were reported to steal cloud and cryptocurrency-related credentials, including AWS keys.
Sources
7 references tracked. Mallory keeps watching after this page renders.
SECURITY ALERT: Malicious `litellm` `1.82.7` / `1.82.8` (4-hour window, limited impact) · Issue #2209 · agentscope-ai/QwenPaw
github.com
Open sourceLiteLLM Supply Chain Attack Detector - check for compromised versions (1.82.7/1.82.8) and TeamPCP IoCs · GitHub
gist.github.com
Open sourceMalicious LiteLLM Packages Steal AWS & Crypto Keys
ox.security
Open sourcePin `litellm<=1.82.6` by harupy · Pull Request #21971 · mlflow/mlflow · GitHub
github.com
Open sourcefix(security): pin litellm<1.82.6 to mitigate supply chain attack by GangGreenTemperTatum · Pull Request #356 · dreadnode/rigging · GitHub
github.com
Open sourcesecurity: pin litellm<=1.82.6 to mitigate supply chain attack by saurya · Pull Request #13569 · OpenHands/OpenHands · GitHub
github.com
Open sourceAdditional details about malware in LiteLLM by kam193 · Pull Request #268 · pypa/advisory-database · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoored LiteLLM PyPI Releases Stole Secrets and Targeted Kubernetes Clusters
Malicious versions `1.82.7` and `1.82.8` of the widely used `litellm` Python package were uploaded to PyPI after attackers used compromised publishing access, turning a popular AI gateway library into a supply-chain malware delivery vehicle. Researchers and project maintainers said the tainted code was absent from the upstream GitHub repository, indicating the compromise occurred in the release pipeline or during package publication. The malware executed on import in `1.82.7`, while `1.82.8` added a `litellm_init.pth` file that triggered on every Python interpreter startup, greatly expanding exposure even beyond direct use of the package. PyPI removed or quarantined the malicious releases, and `1.82.6` was identified as the last known clean version. The payload harvested a broad range of secrets, including cloud credentials, SSH keys, API tokens, Kubernetes service-account tokens, database and CI/CD secrets, `.env` files, shell histories, TLS keys, and cryptocurrency wallet data, then encrypted and exfiltrated the data to attacker-controlled infrastructure including `models.litellm.cloud`. Multiple reports said the malware also attempted Kubernetes lateral movement by enumerating clusters, dumping secrets, and deploying privileged pods across nodes, while establishing Linux persistence through a disguised `systemd` user service that contacted `checkmarx.zone` for follow-on payloads. Researchers linked the intrusion with high confidence to **TeamPCP**, tying it to the earlier Trivy compromise and a broader campaign spanning GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI; organizations that installed and ran the affected versions were urged to assume full credential compromise, rotate secrets, inspect for persistence, and review Kubernetes environments for rogue activity.
Jun 15, 2026
Malicious PyPI Packages Hit LiteLLM and PyTorch Lightning With Credential-Stealing Backdoors
Two widely used Python packages, **LiteLLM** and **PyTorch Lightning**, were distributed on PyPI with malicious code that executed during installation or import and attempted to steal credentials and establish persistence. In the LiteLLM incident, versions `1.82.7` and `1.82.8` were flagged as compromised, with maintainers and downstream projects warning that a `litellm_init.pth` file contained data-exfiltration malware that sent information to `models.litellm.cloud`. Public advisories and community tooling were released to help users determine whether their machines had been affected, while third-party analysis described the package as combining credential theft with a persistent backdoor. In the PyTorch Lightning incident, version `2.6.3` on PyPI was found to trigger a hidden execution chain as soon as the package was imported, launching a background process that downloaded the **Bun** runtime from GitHub and ran an obfuscated JavaScript payload named `router_runtime.js`. Microsoft Threat Intelligence said Defender detected and blocked the activity, tracked as **ShaiWorm**, and reported that only a small number of devices in a narrow set of environments were affected. The malware targeted browser data, `.env` files, API keys, GitHub tokens, and cloud credentials across **AWS**, **Azure**, and **GCP**, and also supported arbitrary command execution; Lightning AI reverted the package to `2.6.1`, urged anyone who imported `2.6.3` to rotate all secrets immediately, and said it is investigating a possible compromise of its build or release pipeline.
May 25, 2026
LiteLLM Hit by PyPI Supply-Chain Compromise and Guardrail Sandbox Escape
Datadog Security Labs reported that the **TeamPCP** supply-chain campaign compromised the legitimate PyPI package **LiteLLM**, publishing malicious versions `1.82.7` and `1.82.8` that stole credentials, exfiltrated data, established persistence, and in some cases attempted to spread into Kubernetes environments. The campaign also hit **Telnyx** on PyPI and was linked to earlier compromises involving Trivy, npm packages, Aqua Security repositories, and Checkmarx tooling, with researchers concluding that stolen CI/CD and publishing credentials were reused across ecosystems. Datadog warned that LiteLLM `1.82.8` was especially dangerous because a malicious `.pth` file triggered payload execution when the Python interpreter started, while the Telnyx package executed code at import time and retrieved a second-stage payload hidden in a WAV file. Separately, X41 disclosed a high-severity **sandbox escape** in BerriAI LiteLLM affecting the `main-latest` Docker image, where authenticated users could reach arbitrary code execution through the `/guardrails/test_custom_code` API endpoint. The flaw relied on bypassing regex-based restrictions on custom Python guardrail code using string concatenation and CPython bytecode rewriting to recover unrestricted builtins and call `__import__`, allowing commands to run as the LiteLLM process user, which is **root** in the default Docker deployment. X41 assigned the issue **CWE-94** and a **CVSS 4.0 score of 8.7**, and Datadog advised organizations that installed the malicious LiteLLM releases to treat affected hosts and CI jobs as full credential-exposure events, rotate secrets, hunt for persistence and outbound traffic, and rebuild critical systems from known-good images rather than relying only on package rollback.
Apr 24, 2026