unknown

litellm versions 1.82.7 and 1.82.8 on PyPI contain a malicious `.pth` file (`litellm_init.pth`) that executes automatically on every Python process startup. The malware operates in three stages: collecting SSH keys, cloud credentials, environment variables, and secrets; exfiltrating them encrypted to a rogue domain (`models.litellm.cloud`); and attempting lateral movement by exploiting Kubernetes service account tokens to create privileged pods and install persistent backdoors. The attack was discovered when the package was pulled as a transitive dependency via an MCP plugin in Cursor, triggering an accidental fork bomb. The GitHub issue has been closed and spammed by bots, suggesting the maintainer account is compromised. Affected users should remove the package, purge caches, check for persistence artifacts, and rotate all credentials immediately.