“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” stated the Python Packaging Authority (PyPA) in light of a serious supply chain attack that has compromised the popular LiteLLM software.
The attack, which began in late February 2026, saw malicious versions 1.82.7 and 1.82.8 of LiteLLM published on the Python Package Index (PyPI) at approximately 8:30 UTC on March 24, 2026. Just under three hours later, at 11:25 UTC, PyPI quarantined the compromised packages.
Investigations revealed that the attack injected credential-stealing code into LiteLLM via Trivy in the CI/CD pipeline. The malicious code was embedded in the file litellm_init.pth, targeting sensitive information such as environment variables, SSH keys, and cloud credentials.
TeamPCP, the threat actor behind the attack, has a history of compromising various ecosystems, including GitHub Actions and Docker Hub. Their audacious claim, “These companies were built to protect your supply chains yet they can’t even protect their own…”, highlights the vulnerabilities present in modern security infrastructures.
Gal Nagli, a prominent figure in the cybersecurity community, remarked, “The open source supply chain is collapsing in on itself,” reflecting widespread concern over the integrity of open-source projects.
As of now, users are strongly advised to audit their environments for the compromised LiteLLM versions and to revoke any exposed credentials. This incident has underscored the importance of vigilance in software supply chains, particularly as TeamPCP’s campaign appears to be ongoing.
With 36% of cloud environments utilizing LiteLLM, the impact of this breach could be far-reaching. The Python Packaging Authority has also issued a security advisory regarding the compromise, urging developers to take immediate action.
As the community grapples with the fallout, experts from Endor Labs have warned, “This campaign is almost certainly not over,” suggesting that further attacks may be imminent.
In the wake of this incident, the open-source community is left to ponder how to bolster defenses against such threats and restore trust in collaborative software development.
