“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” stated the Python Packaging Authority (PyPA) in a recent advisory. This urgent warning comes in the wake of a serious supply chain attack that has compromised versions 1.82.7 and 1.82.8 of the LiteLLM software.
The attack, which began in late February 2026, involved the injection of credential-stealing code into LiteLLM through Trivy in the CI/CD pipeline. The malicious code was embedded in the file litellm_init.pth, leading to the publication of the compromised versions on March 24, 2026, at approximately 8:30 UTC.
Shortly after the malicious packages were published, PyPI took swift action, quarantining them at 11:25 UTC the same day. However, the damage may have already been done, as the payload targets sensitive data such as environment variables, SSH keys, and cloud credentials, which are then exfiltrated to domains controlled by the attackers.
TeamPCP, the group behind this attack, has a history of compromising various ecosystems, including GitHub Actions and Docker Hub. Their brazen statement, “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke,” underscores the severity of the situation.
Gal Nagli, a cybersecurity expert, remarked, “The open source supply chain is collapsing in on itself,” highlighting the vulnerabilities that have emerged within the community. As of now, approximately 36% of cloud environments are reported to be using LiteLLM, raising concerns about the widespread impact of this breach.
In light of these events, users are strongly advised to audit their environments for the compromised LiteLLM versions and to revoke any exposed credentials. The Python Packaging Authority has published a security advisory to assist users in navigating this crisis.
As the situation unfolds, experts warn that “This campaign is almost certainly not over,” according to Endor Labs. The ongoing threat posed by TeamPCP and similar groups calls for heightened vigilance within the open-source community.
