LiteLLM Malware Attack Traced to Stolen PyPI Token in Supply Chain Breach

A security researcher at FutureSearch named Callum McMahon had a simple problem on March 24: he loaded a routine update to a widely used AI library and watched it "cause havoc on his local machine." What he had stumbled into was a meticulously engineered supply chain attack that had been months in the making.

TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, pushed two malicious versions of the popular Python package LiteLLM, containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. Multiple security vendors, including Endor Labs and JFrog, confirmed that versions 1.82.7 and 1.82.8 were published on March 24, 2026, stemming from the package's use of Trivy in its CI/CD workflow.

LiteLLM is downloaded roughly 3.4 million times per day. The library acts as a universal translator, converting API requests for over 100 different large language models into the standard OpenAI format, and Wiz data shows it is present in 36 percent of cloud environments.

The attack's entry point was not LiteLLM itself. The malware campaign began in late February, when attackers took advantage of a misconfiguration in Trivy's GitHub Actions environment to steal a privileged access token that allowed manipulation of CI/CD pipelines, according to Aqua Security. Trivy is an open-source vulnerability scanner that LiteLLM, like many projects, had integrated as a security measure. LiteLLM's PYPI_PUBLISH token, stored in the project's GitHub repo as an .env variable, was sent to Trivy during a security scan, where attackers obtained it and used it to push new LiteLLM code to PyPI.

With that credential, the attackers published LiteLLM 1.82.7 at 10:39 UTC and 1.82.8 at 10:52 UTC, each containing malicious payloads. The malicious versions were available for approximately three hours before PyPI quarantined the package.

The malicious .pth file, named litellm_init.pth, executes automatically on every Python process startup when LiteLLM is installed in the environment. If a Kubernetes service account token is present, the malware reads all cluster secrets across all namespaces and attempts to create a privileged pod on every node in kube-system, with each pod mounting the host filesystem and installing a persistent backdoor at /root/.config/sysmon/sysmon.py with a systemd user service.

Krrish Dholakia, CEO of Berri AI, which maintains LiteLLM, confirmed the breach publicly. "We have deleted all our PyPI publishing tokens," he said. "Our accounts had 2fa, so it's a bad token here. We're reviewing our accounts, to see how we can make it more secure (trusted publishing via JWT tokens, move to a different PyPI account, etc.)." Berri AI has paused new LiteLLM releases until it completes a broader supply-chain review and confirms the release path is safe.

The danger is amplified by where LiteLLM sits in most AI deployments. "Because LiteLLM typically sits directly between applications and multiple AI service providers, it often has access to API keys, environment variables, and other sensitive configuration data," Sonatype researchers noted, adding that compromising such a package allows attackers to intercept and exfiltrate secrets without ever directly breaching upstream systems.

The Python Packaging Authority published a security advisory warning that "anyone who has installed and run the project should assume any credentials available to the LiteLLM environment may have been exposed, and revoke/rotate them accordingly." Berri AI separately urged users to rotate all credentials present as environment variables or config files on any system where LiteLLM 1.82.7 or later was installed.

As community members began tracking the incident in a public GitHub issue, a coordinated effort attempted to bury the discussion. The GitHub vulnerability report was targeted with a spam attack at 05:44 AM PDT, when dozens of presumably AI-generated variations of "Thanks, that helped!" flooded the repository. Security researcher Rami McCarthy noted that 19 of the 25 accounts used to post spam were also used in the Trivy spam campaign.

The LiteLLM breach is part of a widening operation. TeamPCP has been observed running a multi-stage supply chain campaign across several developer ecosystems, including GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI. In a message posted on their Telegram channel, TeamPCP said: "These companies were built to protect your supply chains yet they can't even protect their own, the state of modern security research is a joke."

Gal Nagli, head of threat exposure at Wiz, framed the cascade bluntly: "The open source supply chain is collapsing in on itself." His full analysis describes a self-reinforcing loop: Trivy is compromised, LiteLLM is compromised, credentials from tens of thousands of environments reach attacker hands, and those credentials fuel the next compromise. Brett Leatherman, FBI Assistant Director of Cyber Division, warned on LinkedIn that given the volume of stolen credentials across likely thousands of downstream environments, organizations should "expect an increase in breach disclosures, follow-on intrusions, and extortion attempts in the coming weeks.