litellm: Credential Stealer Hidden in PyPI Wheel
A critical supply chain compromise in litellm==1.82.8 on PyPI was identified on March 24, 2026. The malicious PyPI wheel contains a credential stealer hidden in a litellm_init.pth file that executes during package initialization.
- Disclosed
- Last updated
- Blast radius
- Python applications using litellm==1.82.8, affecting any system executing the package initialization
- Ecosystems
- Attack vectors
- Affected entities
- litellm · 1.82.8
On March 24, 2026, a critical supply chain compromise was discovered in the litellm package hosted on PyPI. The compromised version, litellm==1.82.8, contained a malicious litellm_init.pth file embedded in the distributed wheel package.
The .pth file mechanism is a standard Python feature that allows arbitrary code execution during interpreter initialization. In this case, the malicious file was designed to steal credentials from affected systems when the package was imported or used.
Any Python application or environment that installed and executed litellm==1.82.8 could have been compromised. Credentials accessible to the running Python process would be at risk of exfiltration.
Indicators of compromise
- Packages
- litellm==1.82.8
Remediation
- Immediately uninstall litellm==1.82.8 from all affected systems
- Upgrade to a patched version of litellm released after March 24, 2026
- Audit and rotate any credentials that may have been exposed on systems that ran the compromised version
- Review application logs and credential access logs for suspicious activity during the window the vulnerable package was installed
- Implement package pinning and verification in dependency management to prevent installation of compromised versions
Sources
- litellm: Credential Stealer Hidden in PyPI Wheel · StepSecurity
Cite this entry
"litellm: Credential Stealer Hidden in PyPI Wheel." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed March 24, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/litellm-credential-stealer-hidden-in-pypi-wheel-ythjti
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedhigh
New Shai-Hulud attack trojanizes 19 science-focused PyPI packages
Hackers compromised 19 science-focused packages on PyPI in a Shai-Hulud supply-chain attack. The trojanized packages were collectively downloaded hundreds of thousands of times and delivered malware designed to steal developer secrets.
PyPICompromised package - activecritical
The Hades Campaign: Graph ML PyPI Packages Deploy Cross-Platform Memory Scrapers, AI Analyst Misdirection, and a Wiper Deterrent
On June 8, 2026, multiple Graph ML PyPI packages were compromised in the Hades campaign, deploying cross-platform memory scrapers, AI prompt injections for analyst misdirection, and token-revocation wipers. The attack targeted the bioinformatics ecosystem with sophisticated evasion techniques.
PyPICompromised package - resolvedhigh
durabletask: TeamPCP's Latest PyPi Compromise
Malicious versions of the PyPI package durabletask were published, attributed to the TeamPCP threat actor. The attack matches known TeamPCP tactics used in prior supply chain compromises.
PyPICompromised package - containedcritical
Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack
Three malicious versions of Microsoft's durabletask Python package were published to PyPI on May 19, 2026, containing a 28 KB payload that steals credentials from cloud providers (AWS, Azure, GCP), Kubernetes, password managers, and developer tools. The attack has been attributed to the TeamPCP threat group and exhibits indicators of Eastern European cybercrime operations.
PyPICompromised package