LiteLLM Python Package Compromised in Major Supply Chain Attack by TeamPCP

LiteLLM Python Package Compromised in Major Supply Chain Attack by TeamPCP

First seen 24 Mar 2026, 20:47 UTC RedditTheregisterWizEvrimagaciSonatype+34 84% similarity 72.0

Article Content

Browse articles
ThreatCluster

On March 24, 2026, two malicious versions of the LiteLLM Python package (1.82.7 and 1.82.8) were published on PyPI, containing credential-stealing malware. The attack, attributed to the TeamPCP threat group, exploited vulnerabilities in the CI/CD pipeline, specifically through the Trivy vulnerability scanner. The compromised versions were available for approximately two hours, potentially affecting millions of users given LiteLLM's 95 million monthly downloads. The malware is designed to harvest sensitive data such as SSH keys, cloud credentials, and Kubernetes secrets, and can establish persistence on affected systems. Security advisories have been issued, urging developers to check their installations and rotate any exposed credentials. The attack highlights the risks associated with supply chain vulnerabilities in open-source software. As of now, the malicious versions have been removed from PyPI, and the maintainers are managing the fallout.

Key Points: • Malicious LiteLLM versions 1.82.7 and 1.82.8 were published on March 24, 2026. • The attack exploited vulnerabilities in the CI/CD pipeline via the Trivy vulnerability scanner. • The malware can steal sensitive data and establish persistence, affecting millions of users.

ThreatCluster AI

Timeline

2026-03-24
Malicious LiteLLM versions 1.82.7 and 1.82.8 published on PyPI
2026-03-24
Malicious versions available for approximately two hours
2026-03-24
Malicious versions removed from PyPI
2026-03-25
Security advisories issued for affected users

Community

Browse all →