LiteLLM Supply Chain Attack: What It Means for Your Security

On March 24, 2026, attackers from the group known as TeamPCP published backdoored versions of the LiteLLM Python package on PyPI - one of the most widely used AI proxy libraries, downloaded over 3 million times per day. The compromised versions were live for approximately three hours before PyPI quarantined them.

What Happened

The attackers didn't target LiteLLM directly. They first compromised Trivy, an open-source security scanner used in LiteLLM's CI/CD pipeline. Through that foothold, they stole PyPI maintainer credentials and published malicious versions 1.82.7 and 1.82.8.

The payload was embedded inside litellm/proxy/proxy_server.py - the standard import path for LiteLLM's proxy mode. It also installed a .pth file that executes on every Python interpreter startup, meaning any Python process on the infected machine could trigger it.

What the Malware Steals

The credential harvester targets a wide range of sensitive data:

• API keys and tokens from environment variables and .env files
• SSH keys and cloud credentials (AWS, GCP, Azure)
• Kubernetes configs and Docker secrets
• Database connection strings and CI/CD pipeline secrets
• Cryptocurrency wallets

It also deploys a persistent systemd backdoor and attempts lateral movement through Kubernetes by creating privileged pods.

Why This Matters for Every Web Application

Supply chain attacks don't just affect the directly compromised package. If your web application, API server, or internal tooling pulled LiteLLM as a dependency - even indirectly - your infrastructure credentials may have been exfiltrated.

The stolen credentials could be used to access your production databases, cloud accounts, and internal services. This is exactly the kind of exposure that a deep vulnerability scan detects: outdated dependencies with known CVEs, exposed secrets in server responses, and misconfigurations that attackers leverage after initial access.

How to Check Your Exposure

First, audit your Python environments for LiteLLM versions 1.82.7 or 1.82.8. If found, rotate all credentials immediately - API keys, database passwords, SSH keys, cloud IAM tokens.

Then assess your broader attack surface. A standard scan identifies outdated components and exposed services that supply chain attackers target for lateral movement. For organizations running AI infrastructure, a deep scan maps your full vulnerability profile against OWASP Top 10:2025 categories, including A06: Vulnerable and Outdated Components - the exact category this attack exploits.

The LiteLLM incident is a reminder: your security is only as strong as your weakest dependency.