Your AI Stack Just Handed Over Your Root Keys: Inside the litellm PyPI Breach

The litellm Python package on PyPI was compromised in versions 1.82.7 and 1.82.8, released around March 24, 2026. Attackers hijacked maintainer accounts and pushed malicious code that steals AWS, GCP, and Azure credentials, SSH keys, Kubernetes service account tokens, and .env secrets. The malware executes automatically via a Python .pth file without requiring an import, performs container escapes to install persistent backdoors on host nodes, and exfiltrates data to attacker-controlled servers. The breach was accidentally discovered because a buggy fork bomb crashed host machines. With over 95 million downloads in the past month, the blast radius is enormous. Immediate steps include purging the package, rotating all credentials, hunting for persistence implants (sysmon.service, node-setup-* pods), and blocking egress to checkmarx.zone. The incident highlights the dangers of auto-updating dependencies without a quarantine period and storing long-lived credentials in environment variables.