“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” stated a representative from the Python Packaging Authority (PyPA). This warning comes in the wake of a significant supply chain attack that compromised versions 1.82.7 and 1.82.8 of the LiteLLM software.
The attack, which began in late February 2026, involved the injection of credential-stealing code into LiteLLM via Trivy in the continuous integration and continuous delivery (CI/CD) pipeline. The malicious code was embedded in the file litellm_init.pth, targeting sensitive information such as environment variables, SSH keys, and cloud credentials.
On March 24, 2026, at approximately 8:30 UTC, the compromised versions were published on the Python Package Index (PyPI). Just under three hours later, at 11:25 UTC, PyPI quarantined the malicious packages after identifying the threat.
According to reports, TeamPCP, the threat actor behind the attack, has previously compromised various ecosystems, including GitHub Actions and Docker Hub. Their activities are part of a broader campaign targeting security tools and open-source infrastructure, raising concerns about the integrity of such systems.
“These companies were built to protect your supply chains yet they can’t even protect their own. The state of modern security research is a joke,” remarked a spokesperson for TeamPCP, indicating their intent to continue exploiting vulnerabilities in the system.
In light of this incident, users are advised to audit their environments for the compromised LiteLLM versions and to revoke any exposed credentials. The Python Packaging Authority has issued a security advisory to inform users of the risks associated with the compromised software.
As the situation unfolds, experts warn that the campaign is likely not over. “This campaign is almost certainly not over,” stated representatives from Endor Labs, emphasizing the ongoing threat posed by TeamPCP.
Gal Nagli, a cybersecurity expert, commented, “The open source supply chain is collapsing in on itself,” highlighting the vulnerabilities that have been exposed through this incident.
As the cybersecurity community continues to assess the damage and implement protective measures, the implications of this attack on the future of open-source software and security practices remain to be seen.
