Malicious PyPI Package – LiteLLM Supply Chain Compromise

The malicious behavior is enabled through Python’s handling of .pth files located in site-packages/, which are executed automatically when the interpreter initializes. This makes the compromise particularly dangerous, as execution occurs implicitly and may go unnoticed in standard dependency usage scenarios[2].

The embedded payload is double base64‑encoded, significantly reducing visibility to basic static analysis. The decoded payload attempts to exfiltrate credentials to a remote endpoint controlled by the attacker [1].

Anyone who’s running the confirmed compromised, or possibly compromised litellm versions via pip has had all environment variables, SSH keys, cloud credentials, and other secrets collected and sent to an attacker-controlled server.

This threat notice will be updated when there is more information available.

PyPi admins have quarantined the project, hopefully limiting spread.

Affected Products

litellm version 1.82.8
Possibly litellm version 1.82.7

Exploitation

The flaw is currently being exploited in the wild.

Threat Actor

The attack seems to be attributed to TeamPCP[3]

Recommended Actions

Truesec recommends following the recommendations in the advisory[1]:

• Truesec recommends following the recommendations in the advisory[1]:
• PyPI: Yank/remove litellm 1.82.8 and litellm 1.82.7 immediately
• Users: Check for litellm_init.pth in your site-packages/ directory
• Users: Rotate ALL credentials that were present as environment variables or in config files on any system where any of the affected versions was installed
• BerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise

Detection

For all Truesec MDR customers, Threat hunting will be applied to the following IOCs:
Observed exfiltration[3]:
models[.]litellm[.]cloud
checkmarx[.]zone/raw

[1] https://github.com/BerriAI/litellm/issues/24512
[2] https://docs.python.org/3/library/site.html
[3] https://ramimac.me/trivy-teampcp/#phase-09