NewsPackage Ninja

Security Research / LiteLLM PyPI Incident

The LiteLLM PyPI Credential Theft Incident

A popular AI infrastructure package was poisoned on PyPI to harvest cloud tokens, SSH keys, Kubernetes credentials, and CI/CD secrets.

March 26, 202610 min readCredential theft
LiteLLM logo intelligence briefing card for credential exfiltration.

Affected versions

1.82.7 / 1.82.8

poisoned LiteLLM packages on PyPI

Download scale

3.4M/day

Zscaler-cited PyPI download volume

Execution path

.pth / import

automatic Python startup and import-triggered payloads

Target data

Cloud secrets

AWS, GCP, Azure, SSH, Kubernetes, and CI/CD credentials

Executive Summary

Zscaler reports that LiteLLM versions 1.82.7 and 1.82.8 were poisoned by TeamPCP and available on PyPI for about three hours. The malicious code targeted AWS, GCP, Azure tokens, SSH keys, Kubernetes credentials, and other sensitive pipeline material.

The strongest sourced LiteLLM reporting places this event in March 2026, not late 2025. The report uses the sourced 2026 date to keep the briefing accurate.

Threat profile

LiteLLM sits close to valuable secrets because AI gateway software often needs model-provider keys, cloud credentials, service tokens, and deployment access. That makes it an unusually attractive dependency to poison.

The attack targeted the build and runtime environment, not just application source. If a runner had access to cloud tokens or Kubernetes configs, the malware tried to collect them.

Technical root cause

Zscaler reports that LiteLLM 1.82.8 introduced a `.pth` file that Python automatically executes from `site-packages`, while 1.82.7 introduced an obfuscated Base64 payload in `proxy_server.py` that ran when the library was imported.

The malicious content was published as part of the package, so normal hash verification could still pass. That is the hard lesson: integrity checks prove you received the published artifact, not that the publisher was uncompromised.

Why outbound control matters

Secret scanning after a build finishes is too late when malware can POST data during install or import. The decisive control is process-level egress: package code should not be able to talk to arbitrary endpoints during build, test, or model gateway startup.

A local data-plane agent can make the theft fail even if the malicious code executes, because the process cannot reach its unauthorized exfiltration destination.

Ninja Containment

Zero-Trust Outbound Firewall

Package Ninja monitors process-level network traffic and kills unauthorized exfiltration attempts before secrets can leave the build host.

Restrict install, build, and test processes to approved registries and endpoints.

Block outbound calls from package lifecycle hooks unless explicitly allowlisted.

Detect cloud-token, SSH-key, Kubernetes, and CI/CD secret patterns in attempted egress.

Terminate and quarantine the process when credential exfiltration behavior is observed.

Sources

Supply Chain Attacks Surge in March 2026Zscaler ThreatLabzPyPI warns developers after LiteLLM malware found stealing cloud and CI/CD credentialsCSO OnlineThe LiteLLM Supply Chain AttackRoot