News

PyPI Removes Compromised LiteLLM Releases After Warnings of Stolen Credentials

• By John K. Waters
• 03/25/2026

Malicious versions of the widely used Python package LiteLLM were briefly published to the Python Package Index (PyPI), prompting warnings from PyPI, security researchers, and the package's maintainer that users should assume credentials exposed to affected environments may have been compromised.

PyPI, the official, centralized repository for third-party Python software libraries and packages, stated that anyone who installed and ran the project should assume credentials available to the LiteLLM environment may have been exposed and should revoke or rotate them. Security researchers cited by InfoWorld and BleepingComputer said the compromised releases were LiteLLM versions 1.82.7 and 1.82.8, which were later removed from PyPI.

LiteLLM is an open-source Python library that connects applications to multiple large language model providers through a single interface. PyPI Stats reported more than 96,000 downloads last month.

According to Endor Labs, an application security company focused on software supply chains, the malicious code was designed to harvest environment variables, SSH keys, cloud credentials for AWS, Google Cloud, and Microsoft Azure, Kubernetes configurations, CI/CD secrets, database credentials, and cryptocurrency wallets. The attack also included tooling for Kubernetes lateral movement and a persistent backdoor.

Krrish Dholakia, CEO of Berri AI, the company behind LiteLLM, said in a Hacker News post that the compromise appeared to stem from the use of Trivy in the project's CI/CD pipeline. Trivy is an open-source security scanner from Aqua Security that is widely used in CI/CD pipelines to check software packages and dependencies for vulnerabilities and other risks.

The attack drew a strong reaction from software engineer Andrej Karpathy, who wrote on X that a simple "pip install litellm" was enough to expose a wide range of secrets and that the incident showed how dangerous software supply-chain attacks can be. Karpathy also said projects that depended on LiteLLM could have been affected through transitive dependencies, including users who installed other packages that pulled LiteLLM in automatically. Based on the text of his post, Karpathy said the poisoned version appeared to have been available for less than an hour.

The compromise has been linked by researchers to TeamPCP, a hacking group.

PyPI's warning and researchers' analyses underscored the broader risk from attacks on open-source software dependencies, which can spread beyond a single package to downstream projects and developer environments.