LiteLLM Supply Chain Attack: Are Your API Keys Compromised? Full Verification Guide

On March 24, 2026, the Python community discovered that LiteLLM, one of the most widely used open-source LLM proxies, had been compromised. Versions 1.82.7 and 1.82.8 published on PyPI contained sophisticated malware capable of stealing API keys, cloud credentials, SSH keys, and even cryptocurrency wallets. The malicious packages were live for approximately three hours, with over 425,000 potential downloads.

The attack was discovered by accident: Callum McMahon, a developer at FutureSearch, noticed his machine crashing due to a fork bomb triggered by a bug in the malware itself. Investigating the crash, he identified the malicious code and alerted PyPI, which immediately quarantined the package.

For companies using LLMs through proxies like LiteLLM, this incident is a major wake-up call. Your OpenAI, Anthropic, Azure, AWS, and Google Cloud API keys may have been silently exfiltrated without any alert.

This incident is part of an alarming trend. Since 2024, supply chain attacks targeting the Python AI ecosystem have been multiplying at a concerning rate. Malicious packages mimicking PyTorch, compromised VS Code extensions, infected MCP plugins — attackers have realized that AI developers handle high-value secrets (pay-per-use API keys, cloud access, proprietary data) and that their security culture often lags behind their speed of adopting new tools.

LiteLLM is an open-source proxy developed by BerriAI (Y Combinator W23) that unifies access to 100+ language models through a single OpenAI-compatible API. It handles load balancing, caching, budgets, and logging across GPT-4, Claude, Gemini, Mistral, and other models.

With over 20,000 GitHub stars, LiteLLM is embedded as a transitive dependency in many popular AI frameworks, notably DSPy (Stanford). This means developers may have installed the infected version unknowingly, simply by updating another package.

The severity of the attack lies in the fact that LiteLLM, by design, has access to all configured LLM provider API keys. Malware in this specific package therefore has privileged access to the most sensitive assets in your AI infrastructure.

This was a supply chain attack: the attackers didn't compromise LiteLLM's source code on GitHub. Instead, they managed to publish modified versions directly to PyPI, the official Python package repository.

BerriAI's investigation with Mandiant revealed the initial vector was a compromise of Trivy, a vulnerability scanning tool. Through this compromise, the attackers obtained the credentials needed to publish on LiteLLM's PyPI account.

Two malicious versions were published:

• litellm 1.82.7: first version containing the payload in proxy_server.py

• litellm 1.82.8: second version with an additional mechanism via a .pth file (litellm_init.pth)

The .pth file is particularly insidious: it executes automatically at the startup of any Python interpreter on the system, even if LiteLLM is never imported in the code. This is one of the most dangerous mechanisms in Python's packaging system.

The .pth file mechanism deserves detailed explanation because it illustrates a little-known risk in the Python ecosystem.

When Python starts, it automatically scans all .pth files in site-packages directories. If a .pth file contains a line starting with import, Python executes it immediately. The litellm_init.pth file exploited this mechanism to trigger the malware on every Python launch, whether or not LiteLLM was used in the project.

# Simplified content of the malicious litellm_init.pth file
import litellm_init  # Executes automatically on Python startup

# The litellm_init.py module contained exfiltration code
# that collected environment variables and sensitive files

This means if you installed LiteLLM 1.82.8 in a virtual environment, the malware ran every time you launched any Python script in that environment — even a simple python --version. For developers using tools like Cursor with MCP plugins pulling LiteLLM as a transitive dependency, the infection could occur completely invisibly.

The .pth file mechanism dates back to early Python and was originally designed to simplify import path configuration. Its abuse for malicious purposes has been documented by security researchers for years, but the Python community never implemented access controls or validation on these files. The LiteLLM incident may be the catalyst that finally drives reform of this mechanism.

The attack's reach is amplified by LiteLLM being a transitive dependency of many popular AI frameworks. DSPy, Stanford's framework for programming language models, includes LiteLLM in its dependencies. This means a developer simply running pip install dspy could end up with the compromised version of LiteLLM installed automatically, without ever explicitly requesting that package.

The malware targeted a broad range of sensitive data, far beyond just LLM API keys:

The collected data was sent to an attacker-controlled server over HTTPS, making the exfiltration difficult to detect with standard firewalls. The group behind the attack, identified as TeamPCP, specializes in supply chain attacks targeting the Python ecosystem.

The breadth of targeted data reveals a high level of attacker sophistication. By simultaneously targeting LLM provider API keys and cloud credentials, the malware enabled not only fraudulent AI token consumption (potentially thousands of dollars in billing) but also pivoting into the victim's cloud infrastructure for deeper attacks.

For companies running LiteLLM in production behind a proxy, the compromise is even more severe. The LiteLLM proxy typically manages API keys for all models used across the organization. A single compromised instance therefore grants access to the company's entire key set, not just an individual developer's credentials. For a company using GPT-4, Claude, and Gemini through LiteLLM, that's potentially three different providers that need to be notified and whose keys must be regenerated.

The theft of bash and zsh history is often underestimated but represents a considerable risk. Developers and system administrators regularly execute commands containing plaintext secrets: curl requests with authentication tokens, database connections with passwords, environment variable exports. Terminal history is a gold mine for an attacker mapping a target's infrastructure.

The financial consequences of such a compromise can be substantial. An attacker with stolen OpenAI or Anthropic API keys can generate tens of thousands of dollars in consumption within hours by using those keys for token-heavy tasks. LLM providers generally offer no protection against fraudulent consumption once a key is compromised, and the financial liability falls on the account owner.

Here are the verification steps to run immediately across all your development and production environments:

# 1. Check installed LiteLLM version
pip show litellm | grep Version

# 2. Search for the malicious .pth file
find / -name "litellm_init.pth" 2>/dev/null

# 3. Search for the malicious module
find / -name "litellm_init.py" 2>/dev/null

# 4. Check pip installation logs
pip install --log /tmp/pip-log.txt litellm 2>/dev/null
grep "1.82.7\|1.82.8" /tmp/pip-log.txt

# 5. Check for suspicious network connections
grep -r "litellm" /var/log/syslog 2>/dev/null

Beyond these manual checks, it's recommended to use automated dependency analysis tools. Solutions like pip-audit, Safety, or Snyk can scan your entire environment and detect known compromised versions. For production environments, integrating these scans into your CI/CD pipeline ensures no compromised dependency will be deployed in the future.

If you use Docker, also check images built between March 24 and when PyPI quarantined the packages. A Docker image built with an unpinned pip install litellm during that window could contain the compromised version, even if your local environment is now clean.

If you find the litellm_init.pth file or have installed versions 1.82.7 or 1.82.8, consider your environment compromised and immediately proceed to the remediation plan below.

It's important to understand that even if you installed the compromised version for only a few minutes before uninstalling it, the damage may already be done. The malware executed immediately after installation, collected all accessible data, and exfiltrated it within seconds. The exposure window is measured in seconds, not days.

If your environment is confirmed compromised, time is your most critical resource. Every minute that passes with active credentials in the hands of attackers increases the potential damage exponentially. The remediation process below should be treated as an emergency response, not a scheduled maintenance task. Drop everything else and execute these steps immediately.

Before starting, document everything. Note the exact versions installed, the timestamps of installation and discovery, and which machines and environments are affected. This documentation will be essential for your post-incident review, for reporting to affected service providers, and potentially for legal and compliance purposes. If you're in a regulated industry, your incident response obligations may require formal notification to authorities within specific timeframes.

Step 1: Isolate and clean

• Immediately uninstall LiteLLM: pip uninstall litellm

• Manually delete litellm_init.pth and litellm_init.py from site-packages

• Reinstall a clean version: pip install litellm==1.82.6 (last safe version)

• Verify the .pth file is gone after reinstallation

Step 2: Rotate ALL credentials

• Revoke and regenerate all API keys (OpenAI, Anthropic, Azure, Google, etc.)

• Regenerate AWS/GCP/Azure keys

• Replace SSH keys and Git tokens

• Check crypto wallets if present on the machine

• Change Kubernetes tokens and service secrets

Step 3: Audit and monitor

• Review LLM API consumption logs for abnormal usage

• Audit cloud logs (CloudTrail, GCP Audit Log) for unauthorized access

• Set up alerts for new connections and configuration changes

Remediation doesn't stop at key rotation. It's essential to verify that new keys weren't compromised in turn. If the malware was still active during rotation (for example, if the .pth file wasn't deleted before generating new keys), the new keys may have been exfiltrated immediately. This is why the order of operations is critical: clean the environment first, then regenerate secrets.

For teams managing server fleets or Kubernetes clusters, verification must be systematic and automated. A scan script searching for litellm_init.pth across all containers and virtual environments in your infrastructure can run in minutes and give you a clear picture of the compromise's extent. Don't forget to check Docker images that may have been built during the exposure window.

This incident highlights several systemic vulnerabilities in the Python ecosystem that are particularly critical for companies relying on AI:

Strict version pinning is the simplest and most effective measure. Instead of writing litellm>=1.80 in your requirements.txt, use litellm==1.82.6 with the corresponding SHA256 hash. This practice, often seen as restrictive because it prevents automatic updates, is actually your first line of defense against supply chain attacks. If LiteLLM 1.82.7 had been installed automatically via pip install --upgrade, that's precisely what pinning would have prevented.

Environment isolation via Docker or dedicated virtual environments is another essential protection. A Docker container that only has access to the secrets it needs (and not your SSH keys, bash history, or crypto wallets) significantly limits the blast radius of a compromise. The principle of least privilege, applied to development environments, means your Jupyter notebook doesn't need access to your production AWS keys.

For B2B prospecting teams using automation tools connected to APIs (like Emelia), these recommendations are particularly relevant. Your API keys are the bridge between your tool and your data — a leak can have direct financial consequences: fraudulent token consumption, unauthorized access to prospect data, or worse, full cloud account compromise.

The LiteLLM attack is not an isolated case. The Python AI ecosystem has become a prime target due to a combination of factors: packages with privileged access to sensitive secrets (API keys, cloud tokens), a culture of unverified pip install, and deep dependency chains where a single compromised package can infect dozens of downstream projects.

In 2025-2026, several similar attacks targeted the AI ecosystem: typosquatting packages mimicking popular libraries like transformers and langchain, injections in VS Code extensions and MCP plugins, and maintainer account compromises. The increasing sophistication of these attacks — using techniques like .pth files and transitive dependencies — shows that attackers deeply understand Python's packaging architecture.

The compromise of Trivy as the initial vector is particularly concerning. Trivy is a security scanning tool used specifically to detect vulnerabilities in dependencies. The fact that attackers targeted a security tool to compromise an AI tool creates a particularly sophisticated attack chain: the tool meant to protect you becomes the attack vector itself.

For B2B prospecting companies like those using Emelia, these security concerns are especially important given the sensitive nature of the data involved. Prospect lists, personalized email sequences, campaign data — a compromise of API keys can grant access not only to the AI tools used for content generation, but potentially to the CRM data and communication histories that flow through these systems.

The incident was documented in detail in BerriAI's official post and in GitHub issue #24512. Simon Willison confirmed that PyPI quickly quarantined the malicious packages after the report.

The speed at which the community responded to this incident offers some reassurance. PyPI quarantined the packages within hours of the report. BerriAI engaged Mandiant for a thorough forensic investigation and published transparent documentation of the attack. The security researchers who identified the malware shared detailed technical analyses that helped organizations assess their exposure. This rapid collective response demonstrates that while supply chain attacks are increasingly sophisticated, the security community's detection and response capabilities are evolving in parallel.

However, the three-hour window during which the malicious packages were available on PyPI was enough to potentially affect thousands of installations worldwide. In the modern software development landscape, three hours is an eternity. Automated CI/CD pipelines that run pip install without version pinning could have pulled the compromised version dozens of times during that window. Organizations with aggressive caching strategies might continue serving the compromised version from internal mirrors even after PyPI quarantined it.

The LiteLLM attack will likely accelerate several ongoing initiatives in the Python community:

• PyPI is exploring mandatory cryptographic package signing (PEP 740)

• Tools like Socket Security and Snyk are developing specific detections for exfiltration payloads

• The community is pushing for mandatory multi-factor authentication for popular package maintainers

• Proposals are emerging to restrict or audit automatic .pth file execution

For teams depending on LLMs in their stack, the main takeaway is clear: treat your package manager as a potential attack vector, not a trust catalog. Pin your versions, verify hashes, isolate your environments, and above all, rotate your secrets regularly. The cost of a key rotation is negligible compared to the cost of a compromise.

The current safe version of LiteLLM is available on the official GitHub repository. If you use LiteLLM, make sure you're on version 1.82.6 or later (1.82.9+) and have performed all the checks described in this article.