In a disturbing incident that highlights the vulnerability of open-source software, a malicious actor managed to infiltrate the PyPI (Python Package Index) repository and distribute two malware-laced versions of LiteLLM, a popular Python library for artificial intelligence. This incident underscores the importance of ai security in software development.
The attack occurred on March 24, 2026 when the attacker pushed two compromised packages, version 1.82.7 and 1.82.8, onto PyPI. The malicious code was downloaded approximately 47,000 times in just 46 minutes before PyPI took action to quarantine it.
Developers who installed these versions with unpinned dependencies were exposed to the malware, which stole sensitive credentials including environment variables, SSH keys, cloud provider credentials, Kubernetes tokens, and database passwords. The stolen data was sent to a server at models.litellm.cloud, a domain not affiliated with LiteLLM.
Understanding AI security measures is essential to protect sensitive information in the software development lifecycle.
The Payload’s Three Stages
The payload of the malware operates in three stages:
- Collection: A Python script harvests sensitive files from the host.
- Exfiltration: The collected data is encrypted and sent to https://models.litellm.cloud/.
- Lateral movement and persistence: If a Kubernetes service account token is present, the malware attempts to create privileged pods on every node in kube-system.
What You Should Do
To remediate this issue, developers are advised to:
- Check for affected installations: Run
pip show litellmand inspect.cache/uvcaches (find~/.cache/uv -name "litellm_init.pth") and check virtual environments in CI/CD. - Remove the package and purge caches: Delete LiteLLM 1.82.8 from any affected environment and purge your package manager cache (
rm -rf ~/.cache/uvorpip cache purge) to prevent re-installation from cached wheels. - Check for persistence: Look for
~/.config/sysmon/sysmon.pyand~/.config/systemd/user/sysmon.service. If running in Kubernetes, audit kube-system for pods matching node-setup-* and review cluster secrets for unauthorized access. - Rotate credentials: Assume any compromised credentials and replace them with new ones.
The Incident’s Context
This attack is believed to be linked to an earlier compromise of Trivy, an open-source security scanning tool built by Aqua Security. On March 19, the hacker group TeamPCP used compromised credentials from a prior Trivy incident to tamper with Trivy’s GitHub Actions, allowing them to inject malicious code into automated workflows that build and distribute the tool.
What You Can Do
As a developer, you can take steps to protect yourself from this type of attack:
- Reduce your attack surface: Pin dependencies, use lock files with checksums, and audit packages before upgrading.
- Use secure credentials: Rotate your credentials regularly and store them securely.
- Monitor your environment: Regularly check for suspicious activity and monitor your package manager cache.
LiteLLM’s Response
LiteLLM has taken steps to remediate the situation by pausing new releases, rotating maintainer credentials, establishing new authorized maintainers, and engaging Google’s Mandiant team for forensic analysis of the build and publishing chain.