⚠️ Supply Chain Alert: LiteLLM Compromised

A new supply chain attack has targeted the widely used Python library LiteLLM, which sees over 95 million downloads per month on PyPI.

Attackers managed to inject credential-stealing malware into distributed packages, turning a core infrastructure component into a high-risk entry point.

What happened

LiteLLM is an open-source library designed to unify access to multiple large language model (LLM) providers through a single API. Its deep integration into AI workflows makes it a highly attractive target: it often runs in environments that store sensitive data such as API keys, cloud credentials, and configuration secrets.

The attack has been attributed to the threat actor TeamPCP, already linked to recent compromises involving the Trivy scanner.

According to Endor Labs, two malicious versions — 1.82.7 and 1.82.8 — were published on PyPI containing injected code that did not exist in the project’s official GitHub repository. These compromised packages were available for a limited time before being removed.

The last confirmed clean version is 1.82.6.

How the attack worked

The compromise was subtle and targeted.

Only 12 lines of obfuscated code were inserted into a single file:
litellm/proxy/proxy_server.py

This injection occurred during or after the wheel build process, making it difficult to detect through standard code review practices.

What to do now

If your systems rely on LiteLLM, immediate action is required:

• Check installed versions: identify any use of versions 1.82.7 or 1.82.8

• Remove compromised packages immediately

• Scan for indicators of compromise (IoC), including:

  • Presence of the file litellm_init.pth

  • Suspicious Sysmon logs

  • Unusual Kubernetes pods (e.g. node-setup-*)

• Assume full compromise if affected

• Rotate all credentials and secrets without delay

Why this matters

This incident highlights a structural weakness in modern AI and software ecosystems: the growing dependency on third-party libraries with deep access to sensitive environments.

Supply chain attacks are no longer edge cases — they are becoming a primary attack vector.

And when the compromised component sits at the center of your AI stack, the blast radius is immediate and systemic.

Join our community:

• Newsletter:

Project OSINT – Smart Open Source Insights

OSINT made simple. I share weekly tools, tips, and case studies to help anyone—from investigators to curious minds—explore and apply Open Source Intelligence in the real world.

• Telegram: https://t.me/osintaipertutti

• Telegram: https://t.me/osintprojectgroup