LiteLLM Supply Chain Attack: Malicious Credential Stealer Found in PyPI Package
Critical Security Alert for AI Developers
A serious supply chain attack has been discovered in litellm version 1.82.8 on PyPI. The compromised package contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — **no import litellm required**.
How It Works
The attack leverages Python's .pth file mechanism, which automatically executes code at interpreter startup. The malicious file appears in the package's RECORD manifest:
litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628
The payload is double base64-encoded and performs comprehensive data exfiltration.
What Gets Stolen
The script collects a wide range of sensitive data:
- System info: hostname, whoami, uname, IP addresses
- Environment variables: ALL env vars (captures API keys, secrets, tokens)
- SSH keys: id_rsa, id_ed25519, id_ecdsa, authorized_keys, known_hosts
- Git credentials: .gitconfig, .git-credentials
- AWS credentials: ~/.aws/credentials, ~/.aws/config, IMDS token
- Kubernetes secrets: ~/.kube/config, service account tokens
- GCP credentials: application_default_credentials.json
- Azure credentials: ~/.azure/
- Docker configs: ~/.docker/config.json
Impact
LiteLLM is one of the most popular Python packages for LLM integration, with 40,200+ GitHub stars and 6,700+ forks. It's used by thousands of developers and AI applications to interface with OpenAI, Anthropic, and other LLM providers. The supply chain compromise means anyone who installed version 1.82.8 may have had their credentials exfiltrated.
Immediate Action Required
- Do not use litellm 1.82.8 — uninstall immediately
- Rotate ALL credentials if you installed this version — SSH keys, API keys, cloud credentials
- Audit your environment for signs of compromise
- Use pinned versions and verify package hashes
This incident highlights the growing threat of supply chain attacks in the AI/ML ecosystem, where malicious actors target popular libraries to steal API keys and cloud credentials from developer machines.