Two malicious versions of the litellm PyPI package (1.82.7 and 1.82.8) were published and available for at least two hours, potentially exposing millions of daily users to a multi-stage credential stealer. The payload operates in three layers: the first exfiltrates data using AES-256-CBC encryption with an RSA-wrapped session key; the second harvests SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configs, CI/CD secrets, and more; the third establishes persistence via a system service that polls a remote endpoint every 50 minutes for new payloads. The attack targets AI development environments where litellm sits between applications and LLM providers, giving it access to sensitive API keys. Indicators of compromise include domains models[.]litellm[.]cloud and checkmarx[.]zone, and artifacts like tpcp.tar.gz and sysmon.py. Affected organizations should rotate all credentials, investigate for persistence mechanisms, and consider rebuilding compromised systems. Attribution is tentatively linked to threat group TeamPCP, possibly related to LAPSUS$.