LiteLLM Supply‑Chain Attack Exposes API Keys – What the Malicious PyPI Packages Do

On March 24 a rogue version of the popular LiteLLM Python package appeared on PyPI (versions 1.82.7 and 1.82.8). The attacker bypassed the normal GitHub release flow and uploaded a package containing litellm_init.pth, which is automatically executed whenever any Python interpreter starts.

What the malicious code does

Collection phase: The code walks the filesystem searching for sensitive files such as SSH private keys, .env files, AWS/GCP/Azure credentials, Kubernetes kubeconfig, database passwords, .gitconfig, shell history, cryptocurrency wallets, and any other credential‑related artifacts. It also captures environment variables and cloud metadata endpoint information.

Exfiltration phase: Collected data is encrypted with AES‑256‑CBC + RSA‑4096 and sent to https://models.litellm.cloud/, a domain unrelated to the legitimate LiteLLM infrastructure.

Lateral‑movement phase: If a Kubernetes service‑account token is found, the malware scans all namespaces for secrets, then launches an alpine:latest pod on each node that mounts the host filesystem and writes a persistent backdoor. On the infected host it also drops the same payload to ~/.config/sysmon/sysmon.py.

A notable detail is that the .pth file is executed on every interpreter launch; the malicious code uses subprocess.Popen to spawn a child process that re‑executes the same .pth, creating a fork‑bomb that can crash the machine.

How to check if you are affected

# Check all Python environments
pip show litellm
pip3 show litellm

# uv users
find ~/.cache/uv -name "litellm_init.pth"

If the installed version is 1.82.7 or 1.82.8, you are likely compromised.

Remediation steps

Uninstall and clear caches

pip uninstall litellm && pip cache purge
# uv users
rm -rf ~/.cache/uv

Delete backdoor files

rm -rf ~/.config/sysmon/ ~/.config/systemd/user/sysmon.service

Rotate all credentials Assume that SSH keys, cloud provider credentials, Kubernetes kubeconfig, API keys in .env , and database passwords have been leaked; reset them all.

Cluster‑specific actions Audit secret‑access logs for every namespace, clean up any node-setup-* pods, and verify that the kube-system namespace contains no unauthorized containers.

Aftermath

The polluted versions have been removed from PyPI.

The LiteLLM maintainer’s GitHub account appears compromised; an open issue was closed while hundreds of bots flooded the discussion.

FutureSearch reported the issue to PyPI; its users were not affected.

Why this incident is severe

LiteLLM is a high‑profile AI project (over 40 k stars) that centralizes calls to many LLM APIs, effectively handling all API keys for downstream applications. A supply‑chain compromise of such a tool gives an attacker the ability to harvest credentials for multiple cloud providers in a single breach.

Developers increasingly rely on one‑click pip install of AI tooling without auditing dependency updates, highlighting the need for stricter supply‑chain security practices.