On March 24, 2026, a critical supply chain compromise was identified in litellm==1.82.8: the PyPI package contains a malicious litellm_init.pth file

StepSecurity

A critical supply chain attack was discovered in litellm versions 1.82.7 and 1.82.8 on PyPI. Two different injection techniques were used: a malicious `.pth` file in 1.82.8 that executes on every Python startup, and a base64-encoded payload embedded in `proxy_server.py` in 1.82.7. Both versions carry an identical three-stage payload: (1) a mass credential harvester targeting SSH keys, AWS/GCP/Azure credentials, Kubernetes secrets, environment files, crypto wallets, and shell history; (2) a persistent C2 backdoor disguised as 'System Telemetry Service' that polls `checkmarx.zone` every ~50 minutes for arbitrary remote code execution; and (3) Kubernetes lateral movement that deploys privileged pods to every cluster node to install the backdoor on host OS. All stolen data is encrypted with AES-256-CBC and RSA-4096 before exfiltration to `models.litellm.cloud`. Downstream projects including Microsoft GraphRAG, Google ADK, DSPy, OpenHands, and others were affected. Immediate remediation requires rotating all credentials, removing the persistence backdoor, checking for K8s lateral movement, and auditing network logs for connections to the attacker-controlled domains.

litellm: Credential Stealer Hidden in PyPI Wheel

The Entry Points: Two Versions, Two Injection Techniques