Litellm PyPI breach explained: malicious versions steal cloud credentials, SSH keys, and Kubernetes secrets. Learn impact and urgent mitigation steps.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

The litellm Python package on PyPI was compromised in versions 1.82.7 and 1.82.8, released around March 24, 2026. Attackers hijacked maintainer accounts and pushed malicious code that steals AWS, GCP, and Azure credentials, SSH keys, Kubernetes service account tokens, and .env secrets. The malware executes automatically via a Python .pth file without requiring an import, performs container escapes to install persistent backdoors on host nodes, and exfiltrates data to attacker-controlled servers. The breach was accidentally discovered because a buggy fork bomb crashed host machines. With over 95 million downloads in the past month, the blast radius is enormous. Immediate steps include purging the package, rotating all credentials, hunting for persistence implants (sysmon.service, node-setup-* pods), and blocking egress to checkmarx.zone. The incident highlights the dangers of auto-updating dependencies without a quarantine period and storing long-lived credentials in environment variables.

Your AI Stack Just Handed Over Your Root Keys: Inside the litellm PyPI Breach