“Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly,” stated the Python Packaging Authority (PyPA) in response to the recent supply chain attack on LiteLLM.
The attack, which targeted versions 1.82.7 and 1.82.8 of LiteLLM, was executed through an injection of credential-stealing code via Trivy in the CI/CD pipeline. This malicious code was embedded in the file litellm_init.pth.
The campaign, attributed to the threat actor TeamPCP, began in late February 2026, with the compromised versions published on March 24, 2026, at approximately 8:30 UTC. Shortly after, at 11:25 UTC, PyPI quarantined the malicious packages.
The payload of the attack is particularly concerning as it targets environment variables, SSH keys, cloud credentials, and other sensitive data, which are then exfiltrated to domains controlled by the attackers.
TeamPCP has a history of compromising various ecosystems, including GitHub Actions and Docker Hub, indicating a broader trend of coordinated attacks targeting security tools and open-source infrastructure.
In light of these events, users of LiteLLM are advised to audit their environments for the compromised versions and to revoke any exposed credentials. The Python Packaging Authority has also published a security advisory regarding the compromise.
Gal Nagli, a cybersecurity expert, remarked, “The open source supply chain is collapsing in on itself.” This sentiment reflects growing concerns about the integrity of security measures within the open-source community.
TeamPCP’s audacious claim, “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke, as a result we’re gonna be around for a long time stealing terabytes of trade secrets with our new partners,” underscores the seriousness of the threat.
As the situation develops, experts from Endor Labs have warned that “This campaign is almost certainly not over.” The implications of this attack could resonate throughout the open-source community for some time.
