LiteLLM Supply Chain Attack Exposes Critical Credentials

On March 24, 2026, two versions of the LiteLLM Python package (1.82.7 and 1.82.8) were compromised on PyPI, embedding credential-stealing payloads. The attack, linked to the TeamPCP threat actor, exploited a vulnerability in the Trivy open-source scanner, allowing attackers to publish malicious versions. The payloads targeted sensitive information such as SSH keys, cloud credentials, and Kubernetes secrets, exfiltrating this data to an attacker-controlled server. The malicious version 1.82.8 introduced a .pth file for automatic execution, escalating the threat. The incident highlights the risks associated with supply chain attacks in software development environments. Security advisories have been issued, and further analysis is ongoing to mitigate the impact. The LiteLLM library is widely used, with millions of downloads daily, raising concerns about the broader implications of this breach.

Key Points: • Two compromised LiteLLM versions on PyPI exfiltrated sensitive credentials. • Attack linked to TeamPCP, exploiting vulnerabilities in the Trivy scanner. • Malicious payloads targeted SSH keys, cloud credentials, and Kubernetes secrets.