The TeamPCP hacking group — responsible for the recent Trivy GitHub Actions supply chain attack — pivoted to PyPI on March 24, 2026, using credentials stolen from Aqua Security's CI/CD pipeline to publish malicious versions of LiteLLM (v1.82.7 and v1.82.8). LiteLLM is the most widely used open-source LLM gateway library, with over 3.4 million daily PyPI downloads. The malicious packages were live on PyPI for approximately 5 hours.
The attack deployed a two-stage infostealer: a base64-encoded credential harvester injected into proxy_server.py (triggered on every import), and a .pth persistence file (litellm_init.pth) that executes automatically on every Python interpreter startup — meaning the harvester runs even in environments where LiteLLM itself is not used. The payload specifically targets LLM API keys (OpenAI, Anthropic, and others), alongside AWS/GCP/Azure credentials, SSH keys, Kubernetes tokens, and database passwords. Approximately 500,000 infected device instances were claimed.
LiteLLM is embedded as a dependency in dozens of MCP servers, AI agent frameworks, and enterprise LLM orchestration platforms. Compromise of a single CI/CD environment that installed the malicious package exposes every agent that environment deploys — including the LLM API keys, tool credentials, and system access those agents hold.
Immediate recommendation: If you ran pip install litellm (unpinned) between 10:39–16:00 UTC on March 24, 2026, rotate all credentials in that environment immediately — cloud provider keys, LLM API keys, SSH keys, database passwords, and Kubernetes service account tokens. Upgrade to v1.82.9 or later. Pin all PyPI dependencies by version and digest in production pipelines.