“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” stated a representative from the Python Packaging Authority (PyPA). This stark warning comes in the wake of a significant supply chain attack that compromised versions 1.82.7 and 1.82.8 of the LiteLLM software.
The attack, attributed to the threat actor group TeamPCP, involved the injection of credential-stealing code into LiteLLM through Trivy in the CI/CD pipeline. The malicious code was embedded in the file litellm_init.pth, which was published on the Python Package Index (PyPI) at approximately 8:30 UTC on March 24, 2026.
Just under three hours later, at 11:25 UTC, PyPI quarantined the compromised packages after being alerted to the breach. This incident is part of a broader campaign that began in late February 2026, targeting security tools and open source infrastructure.
According to reports, the payload from the attack is designed to harvest sensitive data, including environment variables, SSH keys, and cloud credentials. The exfiltrated data is sent to domains controlled by the attackers, raising serious concerns about the security of cloud environments, where an estimated 36% utilize LiteLLM.
“These companies were built to protect your supply chains yet they can’t even protect their own; the state of modern security research is a joke,” remarked a spokesperson from TeamPCP, indicating the group’s confidence in their ongoing operations. They further claimed, “as a result, we’re gonna be around for a long time stealing terabytes of trade secrets with our new partners.”
Gal Nagli, a cybersecurity expert, echoed these sentiments, stating, “The open source supply chain is collapsing in on itself.” This sentiment reflects a growing concern within the tech community about the vulnerabilities inherent in open source software.
In light of these developments, users of LiteLLM are strongly advised to audit their environments for the compromised versions and to revoke any exposed credentials. The Python Packaging Authority has issued a security advisory regarding the compromise, urging immediate action.
As the situation unfolds, experts warn that “This campaign is almost certainly not over,” according to Endor Labs, suggesting that further attacks may be imminent. The implications of this breach extend beyond LiteLLM, highlighting vulnerabilities across various ecosystems, including GitHub Actions and Docker Hub, which have also been targeted by TeamPCP.
