LiteLLM Supply Chain Attack

Attack Overview

On March 24, 2026, a critical supply chain attack was discovered affecting the LiteLLM PyPI package. Versions 1.82.7 and 1.82.8 both contained a malicious payload injected into litellm/proxy/proxy_server.py, which executes when the proxy module is imported. Additionally, version 1.82.8 included a path configuration file named litellm_init.pth at the package root, which is executed automatically whenever any Python interpreter starts on a system where the package is installed, requiring no explicit import to trigger it.

The payload, hidden behind double base64 encoding, harvests sensitive data from the host, including environment variables, SSH keys, AWS/GCP/Azure credentials, Kubernetes secrets, crypto wallets, CI/CD configs, and shell history. Collected data is encrypted with a randomly generated AES-256 session key, itself wrapped with a hardcoded RSA-4096 public key, and exfiltrated to models.litellm[.]cloud, a domain registered just one day prior on March 23, controlled by the attacker and designed to mimic the legitimate litellm.ai. It also installs a persistent backdoor (sysmon.py) as a systemd user service that polls checkmarx[.]zone/raw for a second-stage binary. In Kubernetes environments, the payload attempts to enumerate all cluster nodes and deploy privileged pods to install sysmon.py on every node in the cluster.

This attack has been linked to TeamPCP, the group behind the Checkmarx KICS and Aqua Trivy GitHub Action compromises in the days prior, based on shared C2 infrastructure, encryption keys, and tooling. It is suspected that LiteLLM was compromised through their Trivy security scanning dependency, which led to the hijacking of one of the maintainer's PyPI account.

Affected Versions and Files

Estimated Exposure

According to the PyPI public BigQuery dataset (bigquery-public-data.pypi.file_downloads), version 1.82.8 was downloaded approximately 102,293 times, while version 1.82.7 was downloaded approximately 16,846 times during the period in which the malicious packages were available.

What does this mean for you?

If your organization installed either affected version in any environment, assume any credentials accessible on those systems were exfiltrated and rotate them immediately. In Kubernetes environments, the attacker may have deployed persistence across cluster nodes.

‍

To determine if you may have been compromised:

• Check for the presence of litellm_init.pth in your site-packages/ directory.
• Check for the following artifacts:
  
  • ~/.config/sysmon/sysmon.py
  • ~/.config/systemd/user/sysmon.service
  • /tmp/pglog
  • /tmp/.pg_state
• Check for outbound HTTPS to models[.]litellm[.]cloud and checkmarx[.]zone

‍

If the version of LiteLLM belongs to one of the compromised releases (1.82.7 or 1.82.8), or if you think you may have been compromised, consider taking the following actions:

• Isolate affected hosts where practical; preserve disk artifacts if your process allows.
• Rebuild environments from known-good versions.
• Block outbound HTTPS to models[.]litellm[.]cloud and checkmarx[.]zone (and monitor for new resolutions).
• Rotate all credentials stored in environment variables or config files on any affected system, including cloud provider keys, SSH keys, database passwords, API tokens, and Kubernetes secrets.
• In Kubernetes environments, check for unexpected pods named node-setup-* in the kube-system namespace.
• Review cloud provider audit logs for unauthorized access using potentially leaked credentials.
• Check for signs of further compromise.

IOCs