Litellm Supply‑Chain Poisoning: Why You Must Stop Updating the Library Immediately

Litellm is a popular open‑source Python library that provides a unified, OpenAI‑compatible interface for calling over 100 large language models. Because of its convenience, many AI tools and frameworks silently depend on it.

Poisoned Release

On 2026‑03‑24 a version labeled 1.82.8 was pushed to PyPI without any corresponding GitHub release or tag. The attacker bypassed the normal publishing workflow and uploaded a malicious package directly.

Malicious .pth Mechanism

The package contains a litellm_init.pth file (~34 KB). When a Python environment contains a .pth file, the interpreter automatically executes its contents on startup, even before the user runs import litellm. This makes the payload extremely stealthy.

Technical Deep‑Dive

The attack proceeds in three stages:

Stage 1 – Information Harvesting : The script scans the host for valuable secrets, including SSH private keys ( ~/.ssh/id_rsa, ~/.ssh/config), environment variables (API keys via printenv), cloud provider credentials and ~/.kube/config, shell history files ( .bash_history, .zsh_history), database connection configs, encrypted wallet files, and TLS private keys.

Stage 2 – Packaging & Exfiltration : Collected data is encrypted with a randomly generated 32‑byte AES‑256 key. The AES key itself is encrypted using a hard‑coded 4096‑bit RSA public key (OAEP padding). The encrypted payload is bundled into tpcp.tar.gz and uploaded to a deceptive domain https://models.litellm.cloud/, which appears to be an official endpoint.

Stage 3 – Lateral Spread : If the victim runs inside Kubernetes, the script enumerates all cluster secrets and attempts to launch privileged Alpine containers on every node, dropping a persistent backdoor ( ~/.config/sysmon/sysmon.py) and a systemd service.

Real‑World Impact

In a test case, a developer using an outdated local Cursor MCP service triggered the malicious .pth. Because the payload spawns a subprocess that also loads the same .pth, an infinite recursion (fork bomb) occurs, exhausting memory and crashing the machine.

Reflection & Mitigation

The attack was quickly discovered because the malicious code was poorly written. Recommendations include:

Immediately uninstall the affected version and clear pip / uv caches.

Rotate all credentials—SSH keys, cloud provider tokens, API keys, and any other secrets that may have been exposed.

This incident underscores the danger of deep dependency trees in modern software and the need for strict supply‑chain security practices when using AI‑related libraries.