Malicious LiteLLM versions on PyPI stole credentials in March attack

In short: Attackers briefly replaced LiteLLM’s official Python downloads with malware on March 24, 2026, and PyPI later removed the bad versions.

What happened

LiteLLM, a widely used tool for routing requests to large language models (think of it like a switchboard for AI services), was hit by a supply chain compromise on March 24, 2026. Attackers published two malicious versions on PyPI, which is the main public download site for Python packages (like an app store for Python developers). The malicious versions were 1.82.7 and 1.82.8, and they were linked to a campaign known as TeamPCP.

The malware was designed to steal credentials, which are the “keys” that let software log into other services. Reports say it collected things like cloud account secrets (AWS, Google Cloud, and Azure), SSH keys (a common way to log into servers), database passwords, and CI or CD secrets (automated build and deployment passwords used by development teams). It then encrypted the stolen information and sent it out to attacker-controlled web addresses.

Researchers also reported that the malware tried to stay on a computer even if the package was later updated or rolled back, by using a Python startup file that can run each time Python starts.

LiteLLM said its official Docker image for LiteLLM Proxy was not affected, because it does not pull unknown new versions from PyPI during installs.

One note on the background context: the source mentions LiteLLM had security compliance certifications via Delve, but other available reporting about this incident does not confirm those certifications.

Why it matters

Even if you do not write code, this is a reminder that popular software can be tampered with upstream. When that happens, stolen login secrets can lead to account takeovers, data theft, and surprise cloud bills for the organizations that were exposed.

Source: TechCrunch AI