Back

Malicious Backdoor in LiteLLM Package Compromises AI Frameworks

Severity: High (Score: 67.5)

Sources: Feeds2.Feedburner, Letsdatascience

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: prompt, injection, drives, agentic, compromise, security, backdoor

Severity indicators: backdoor

Summary

In March 2026, a backdoor was introduced to the LiteLLM package on PyPI, remaining available for three hours and resulting in nearly 47,000 downloads. This package acts as a language-model gateway for various AI frameworks, including CrewAI, DSPy, and Microsoft GraphRAG. Users who updated LiteLLM during this time inadvertently integrated an autonomous attack bot named hackerbot-claw into their environments. The incident is highlighted in the OWASP GenAI Project's report as a significant example of supply-chain compromise and prompt injection risks. The attack vector exploited the dependency management of agentic AI systems, raising concerns about the security of widely reused libraries. The event emphasizes the need for improved runtime protections and dependency hygiene in software development. Security teams are advised to monitor for updates from affected framework maintainers and OWASP for recommended controls. Key Points: • A backdoor in LiteLLM on PyPI led to 47,000 downloads in three hours. • The compromised package introduced an autonomous attack bot, hackerbot-claw, into user environments. • The incident highlights significant supply-chain risks for agentic AI systems.

Detailed Analysis

**Impact** Nearly 47,000 downloads of the compromised LiteLLM package occurred during a three-hour window in March 2026. Affected users include projects and frameworks such as CrewAI, DSPy, and Microsoft GraphRAG, spanning multiple AI agent deployments globally. The incident potentially exposed these environments to autonomous attack bots, risking credential theft, unauthorized lateral execution, and compromise of AI-driven workflows. The supply-chain nature of the compromise increased the blast radius across sectors relying on agentic AI frameworks. **Technical Details** The attack involved publishing a malicious backdoor version of the LiteLLM package on PyPI, which functions as a language-model gateway for multiple AI frameworks. Installing or updating LiteLLM during the incident introduced an autonomous attack bot named hackerbot-claw into user environments. The compromise exploited prompt injection vulnerabilities inherent in agentic AI workflows, enabling runtime code execution and potential credential exfiltration. No specific CVEs or infrastructure details were provided. The kill chain stage corresponds to initial access and execution via supply-chain compromise. **Recommended Response** Immediately audit and verify all LiteLLM package versions in use, reverting to known clean releases or removing the package if not essential. Deploy runtime monitoring and allowlisting controls for agentic AI libraries to detect unauthorized code execution or anomalous agent behavior. Enhance dependency hygiene by implementing strict supply-chain security policies and monitor for updates from affected framework maintainers or PyPI regarding patches or mitigations. Track OWASP GenAI Project advisories for evolving best practices on agent runtime protections.

Source articles (2)

  • Prompt injection still drives most agentic AI security failures in production — Feeds2.Feedburner · 2026-06-11
    A backdoor sat on PyPI for three hours in March 2026. Nearly 47,000 downloads occurred during the window. The compromised package, LiteLLM, serves as the language-model gateway for CrewAI, DSPy, Micro…
  • Prompt injection drives agentic AI supply-chain compromise | Let's Data Science — Letsdatascience · 2026-06-11
    Help Net Security reports that a malicious backdoor was published to PyPI in March 2026 and remained available for three hours , resulting in nearly 47,000 downloads during that window. The compromise…

Timeline

  • 2026-03-01 — Malicious backdoor published on PyPI: The LiteLLM package was compromised, allowing a backdoor to be downloaded by users.
  • 2026-03-01 — 47,000 downloads during compromise: The compromised LiteLLM package was downloaded nearly 47,000 times within three hours.
  • 2026-06-11 — Incident highlighted in OWASP report: The OWASP GenAI Project reported the incident as a significant example of supply-chain compromise.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Hackerbot-claw (Campaign)
  • LiteLLM (Tool)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • PyPI (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed