The Python package that quietly powers AI infrastructure for thousands of organizations — routing API calls across OpenAI, Anthropic, Bedrock, and 100 more providers — shipped two backdoored versions on March 24, 2026, exposing every secret on any machine that installed them.
LiteLLM versions 1.82.7 and 1.82.8 were published to PyPI, carrying a sophisticated three-stage payload: a credential harvester, a Kubernetes lateral movement toolkit that spread to every node in a cluster, and a persistent backdoor disguised as a "System Telemetry Service." Both versions have since been pulled from PyPI. Version 1.82.6 is the last confirmed clean release.
The attack is attributed to TeamPCP, the same threat actor that compromised Aqua Security's Trivy vulnerability scanner and Checkmarx's KICS infrastructure analyzer earlier this month. Security firm Endor Labs, which identified the malicious versions, assessed with high confidence that LiteLLM's use of the already-compromised Trivy in its CI/CD pipeline handed TeamPCP the publishing credentials needed to push the backdoored packages.
Version 1.82.7 hid the payload within proxy_server.py, executing silently when the module was imported. Version 1.82.8 escalated further: a malicious .pth file (a Python path configuration file that the interpreter processes automatically at startup) meant the malware fired on every Python invocation in the environment — no import needed, no user interaction required.
The harvested data was sweeping: SSH keys, AWS and GCP credentials, Kubernetes secrets, cryptocurrency wallets, .env files, CI/CD tokens, TLS private keys, and shell histories. Everything was encrypted with AES-256-CBC and RSA-4096 before being exfiltrated to models.litellm.cloud — a domain deliberately crafted to impersonate the legitimate service.
Cruelly, LiteLLM is itself an API key management gateway. The attacker targeted the one package guaranteed to hold the keys to everything else.
"The open source supply chain is collapsing in on itself," said Gal Nagli of Google-owned Wiz. "We are stuck in a loop."
If you installed litellm 1.82.7 or 1.82.8, rotate all credentials immediately — cloud keys, SSH keys, Kubernetes secrets, and database passwords. Run pip show litellm | grep Version to check, and search for litellm_init.pth in your site-packages. Downgrade to 1.82.6 and audit any CI/CD pipeline that ran in the last 48 hours.
TeamPCP has now hit five ecosystems in under a month. They're not done.