An AI gateway designed to steal your data

In March 2026, attackers injected malicious code into two versions of the popular Python library LiteLLM (1.82.7 and 1.82.8) on PyPI, turning it into a data-stealing trojan. The malware recursively scanned victim systems for SSH keys, AWS/Kubernetes/database credentials, .env files, TLS certificates, and crypto wallet configs. It also extracted live AWS IMDS runtime credentials and established persistence in Kubernetes clusters by deploying a privileged pod and registering a sysmon.py backdoor via systemd. A related Node.js variant was found embedded in trojanized Checkmarx VS Code extensions on OpenVSX. Victims were identified globally, with the highest infection rates in Russia, China, Brazil, the Netherlands, and UAE. The compromised packages have since been removed from PyPI and OpenVSX. Recommended mitigations include rotating all credentials, scanning for sysmon.py artifacts, auditing PyPI module caches, and using supply chain monitoring tools.