How a Malicious litellm Update Turned Python AI Tools into a Supply‑Chain Bomb

Background and Warning

On March 24, 2024, former OpenAI scientist Andrej Karpathy posted a stark warning about a textbook‑level software supply‑chain attack targeting the Python library litellm . The library is widely used to unify calls to large‑model APIs and has over 40 000 GitHub stars with roughly 95 million monthly downloads.

Attack Mechanics

The attacker published malicious versions 1.82.7 and 1.82.8 of litellm on PyPI at 10:52 UTC. These releases contained a file named litellm_init.pth. Python automatically parses and executes .pth files on interpreter startup, meaning the malicious code runs even when a user imports unrelated packages, as long as the infected version is installed.

Data Harvested

The payload silently collected a wide range of sensitive assets:

SSH private keys

Cloud service credentials for AWS, GCP, Azure

Kubernetes service‑account tokens

.env files containing environment variables

Database configuration files

Cryptocurrency wallet files

Collected data were encrypted, exfiltrated to the attacker’s server, and, if a Kubernetes environment was detected, the code deployed privileged pods for lateral movement.

Discovery and Bug

The infection was uncovered when Callum McMahon of FutureSearch triggered the malicious .pth via the Cursor editor’s MCP plugin, which indirectly depends on litellm. A coding mistake caused the malicious code to spawn a fork bomb, crashing the host and exposing the attack.

Supply‑Chain Compromise Path

The attacker obtained litellm’s PyPI publishing token by first compromising the CI/CD security scanner Trivy . On March 19, the same threat group (TeamPCP) breached Trivy, stole the token, and used it to push the poisoned litellm releases.

Timeline of the Incident

March 19 – TeamPCP compromises Trivy.

March 23 – TeamPCP compromises Checkmarx KICS.

March 24 – Poisoned litellm versions 1.82.7/1.82.8 are published.

Community Response

When the issue was reported on GitHub, the attackers responded by spamming the issue with 88 comments from 73 stolen accounts within 102 seconds and eventually closed the issue using compromised maintainer privileges. The security community had to relocate the discussion to Hacker News and other platforms to continue the investigation.

Mitigation Guidance

Developers using Python or AI toolchains should immediately perform the following steps:

Run pip show litellm to check the installed version.

If the version is 1.82.7 or 1.82.8, consider the environment compromised; version 1.82.6 is the last known clean release.

Assume all credentials (cloud, database, SSH, K8s, etc.) have been exfiltrated and rotate them without delay.

This incident underscores the fragility of modern software supply chains and the need for rigorous verification of third‑party dependencies, especially in AI development environments.