[Security]: litellm PyPI package (v1.82.7 + v1.82.8) compromised — full timeline and status

[isfinne]

[LITELLM TEAM UPDATES]

• Compromised packages have been deleted (v1.82.7, v1.82.8)
• Compromise came from trivvy security scan dependency
• All maintainer accounts have been rotated (new maintainer accounts: @krrish-berri-2 , @ishaan-berri)
• Proxy Docker image users were not impacted, all dependencies are pinned on requirements.txt
• No litellm releases will be out until we have scanned our chain and make sure it's safe

Next Steps

• Review all berriai repo's for impact
• Scan circle ci builds to understand blast radius, and mitigate it
• We've engaged Google's mandiant.security team, and are actively working on this with them

We are actively investigating this issue. Please reach out to us on support@berri.ai, if you have any questions / concerns.

---

Summary

The litellm PyPI package was compromised by an attacker who gained access to the maintainer's PyPI account. Malicious versions were published that steal credentials and exfiltrate them to an attacker-controlled server.

Original detailed analysis: #24512

Hacker News discussion: https://news.ycombinator.com/item?id=47501729

What happened

• The maintainer's PyPI account (krrishdholakia) appears to have been hijacked by an attacker (teampcp)
• The attacker published malicious versions to PyPI that were never released through the official GitHub CI/CD
• GitHub releases only go up to v1.82.6.dev1 — versions 1.82.7 and 1.82.8 on PyPI were uploaded directly by the attacker

Affected versions

Version	Method	Trigger
1.82.7	Payload embedded in litellm/proxy/proxy_server.py	Triggered on import litellm.proxy
1.82.8	Added litellm_init.pth (34,628 bytes) + payload in proxy_server.py	Any Python startup — no import needed

Other versions may also be affected and should be audited.

What the malicious code does

1. Collects: SSH keys, environment variables (API keys, secrets), AWS/GCP/Azure/K8s credentials, crypto wallets, database passwords, SSL private keys, shell history, CI/CD configs
2. Encrypts: AES-256-CBC + RSA-4096 (hardcoded public key)
3. Exfiltrates: curl POST to https://models.litellm.cloud/

The exfiltration domain litellm.cloud (NOT the official litellm.ai) was registered on 2026-03-23 via Spaceship, Inc. — just hours before the malicious packages appeared.

Current status

• PyPI: The entire litellm package has been suspended/removed. All versions currently return "No matching distribution found." We reported the malware to PyPI via the official "Report malware" form.
• GitHub Issue [Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 — credential stealer #24512: Contains the original detailed technical analysis (currently closed by the attacker's spam — see below).
• Attacker behavior: The attacker appears to be publishing hundreds of spam comments to suppress discussion. If this continues, we recommend moderating via the Hacker News thread linked above.

Recommendations for affected users

1. Check if litellm_init.pth exists in your site-packages/ directory
2. Rotate ALL credentials that were present as environment variables or config files on any system where litellm 1.82.7+ was installed
3. Pin dependencies to exact versions and verify against GitHub releases
4. Monitor for unauthorized access using any potentially leaked credentials

References

• Original analysis: [Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 — credential stealer #24512
• Hacker News: https://news.ycombinator.com/item?id=47501729
• Attacker's exfil domain WHOIS: registered 2026-03-23, Spaceship Inc., privacy-protected
• litellm_init.pth SHA256: ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg

Pypi has put the project in quarantine. this should block additional downloads.

[thenoblet]

Pypi has put the project in quarantine. this should block additional downloads.

Our entire deployment has failed due to this issue. Pypi quarantined it, and I am just finding out. Such a bummer!!

[DanielRuf]

This was probably caused by the compromised trivy project:

https://github.com/search?q=repo%3ABerriAI%2Flitellm%20trivy&type=code
https://ramimac.me/trivy-teampcp/#phase-09

litellm/ci_cd/security_scans.sh

Line 16 in 9343aee

echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list

The full timeline contains more details.

[akx]

The maintainer's PyPI account (krrishdholakia) appears to have been hijacked by an attacker (teampcp)

Note that it's not just PyPI... See e.g. https://github.com/krrishdholakia/blockchain/commit/556f2db38e98bff4495ced183ea6253c5a68bfe0 (unrelated repo) (and other recent activity).

[DanielRuf]

Yes, the trivy project contained a credential stealer and the threat actors used PATs and other secrets extracted via CI / CD.

This means full rotation after cleanup for all involved secrets and connected services (PyPi etc).

[dkindlund]

The Attack Chain: Trivy → LiteLLM PyPI

  Based on the ramimac writeup and issue #24518:

  1. March 1: Aqua Security (Trivy's maintainer) suffered an initial breach
  2. Incomplete credential rotation left tokens available to the attacker (TeamPCP)
  3. TeamPCP compromised Trivy — poisoned v0.69.4-v0.69.6, force-pushed all 76+ trivy-action tags, and pushed malicious Docker images directly to Docker Hub
  4. March 23: Attacker registered litellm.cloud domain (exfiltration target)
  5. March 24 ~08:30 UTC: Published malicious litellm==1.82.7 and 1.82.8 to PyPI using the compromised maintainer account krrishdholakia

  The connection: the Trivy compromise likely gave the attacker access to the LiteLLM maintainer's PyPI credentials (either harvested from CI secrets via the compromised Trivy runs, or through the broader credential-stealing payload).

  GitHub Source Code: NOT Compromised

  - No malicious code in any GitHub tag from v1.82.3-stable through v1.82.6.rc.2
  - No v1.82.7 or v1.82.8 tags exist on GitHub — the attacker published directly to PyPI
  - The base64 and subprocess usages in proxy_server.py across all tagged versions are legitimate (config handling, callbacks)
  - No .pth files, no litellm.cloud references, no exec(base64.b64decode(...)) patterns in the source
  - The simple_pypi_publish.yml workflow was last modified July 2025 — not tampered with
  - Last legitimate CI-published version was March 13

  LiteLLM's Trivy Usage — Potential Exposure Vector

  LiteLLM's ci_cd/security_scans.sh installs Trivy via apt from aquasecurity.github.io/trivy-repo/deb without version pinning — it pulls whatever the latest version is. If a CI run occurred during the Trivy compromise window, it would have installed the poisoned Trivy, which could have exfiltrated CI secrets including the PYPI_PUBLISH_PASSWORD.

[hdnh2006]

Pypi has put the project in quarantine. this should block additional downloads.

Your account is compromised dude: