# Compromise of litellm 1.82.7/1.82.8: Credential Theft Mechanism via PyPI
The litellm library in versions 1.82.7 and 1.82.8 on PyPI contains malicious code that steals SSH keys, cloud credentials, Kubernetes secrets, and API keys. The attack leverages the supply chain, triggering automatically when launching the Python interpreter or importing the module. Affected systems include those with transitive dependencies, such as Cursor's MCP plugins.
Incident Detection
The attack surfaced through a fork bomb in a .pth file that exhausted host resources. Without this bug, the malware could have operated stealthily. The versions were published on March 24, 2026, between 10:39–10:52 UTC without any GitHub updates—the malicious code was injected only into PyPI artifacts, bypassing code review.
FutureSearch researchers noted the absence of release tags. The repository is clean, which is typical for supply chain attacks.
Malware Technical Details
Stage 1: Data Collection
Payload extracts:
- SSH keys and configurations.
.envfiles.- AWS, GCP, Azure credentials.
- Kubeconfig and Kubernetes secrets.
- Database passwords.
- Shell history.
- Crypto wallet files.
- Environment variables.
Queries are made to cloud providers' IMDS endpoints.
Stage 2: Exfiltration
Data is encrypted with AES-256-CBC using RSA-4096 (hardcoded public key) and sent to models.litellm[.]cloud—an unofficial domain.
Stage 3: Persistence
In Kubernetes, the malware:
- Reads all cluster secrets via service account token.
- Creates privileged
alpine:latestpods inkube-systemwith host FS mounted. - Installs backdoor
~/.config/sysmon/sysmon.py. - Registers systemd user service to run on all nodes.
Version 1.82.8 uses litellm_init.pth (34 628 bytes), executed automatically by Python. 1.82.7 features obfuscated code in proxy/proxy_server.py.
Detection and Remediation
Check systems with these commands:
# litellm version
pip show litellm
# Traces in uv cache
find ~/.cache/uv -name "litellm_init.pth"
# Backdoor
ls ~/.config/sysmon/sysmon.py
ls ~/.config/systemd/user/sysmon.service
In Kubernetes: kubectl get pods -n kube-system | grep node-setup-.
If versions 1.82.7/1.82.8 are installed:
pip uninstall litellm
rm -rf ~/.cache/uv
# Or: pip cache purge
Rollback to 1.82.6 (March 22, clean per Endor Labs). Rotate all credentials: SSH keys, cloud tokens, kubeconfig, API keys, DB passwords. Check CI/CD pipelines and Docker images over the past 24–48 hours.
TeamPCP Campaign Context
The attack is part of the TeamPCP campaign (since December 2025):
- March 19: Trivy (75/76 tags of
trivy-action). - March 21–23: KICS/Checkmarx, OpenVSX, CanisterWorm in npm (64+ packages).
- March 24: litellm.
Common markers: AES-256 + RSA-4096, one public key. GitHub Issue #24512 in litellm was closed as “not planned” with suspicious comments—possible account compromise.
Indicators of Compromise
- C2 domain:
models.litellm[.]cloud. - File:
litellm_init.pth. - SHA-256:
ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg. - Backdoor:
~/.config/sysmon/sysmon.py. - K8s: pods
node-setup-*inkube-system.
Key Points
- Malicious code in
.pthtriggers withoutimport, affecting all Python processes. - Exfiltration is encrypted; C2 is a fake litellm domain.
- Kubernetes exploit provides full cluster access via privileged pods.
- Part of TeamPCP chain: monitor Trivy, KICS, npm packages.
- Rollback to 1.82.6 + full credential rotation is mandatory.
— Editorial Team
No comments yet.