Back to Home

Attack on litellm: credentials theft in PyPI

Compromise of litellm versions 1.82.7 and 1.82.8 on PyPI includes collection and exfiltration of credentials via .pth files and K8s pods. Mechanisms, IoC, and remediation steps described. Attack linked to TeamPCP campaign.

litellm under attack: stealer in PyPI versions
Advertisement 728x90

# Compromise of litellm 1.82.7/1.82.8: Credential Theft Mechanism via PyPI

The litellm library in versions 1.82.7 and 1.82.8 on PyPI contains malicious code that steals SSH keys, cloud credentials, Kubernetes secrets, and API keys. The attack leverages the supply chain, triggering automatically when launching the Python interpreter or importing the module. Affected systems include those with transitive dependencies, such as Cursor's MCP plugins.

Incident Detection

The attack surfaced through a fork bomb in a .pth file that exhausted host resources. Without this bug, the malware could have operated stealthily. The versions were published on March 24, 2026, between 10:39–10:52 UTC without any GitHub updates—the malicious code was injected only into PyPI artifacts, bypassing code review.

FutureSearch researchers noted the absence of release tags. The repository is clean, which is typical for supply chain attacks.

Google AdInline article slot

Malware Technical Details

Stage 1: Data Collection

Payload extracts:

  • SSH keys and configurations.
  • .env files.
  • AWS, GCP, Azure credentials.
  • Kubeconfig and Kubernetes secrets.
  • Database passwords.
  • Shell history.
  • Crypto wallet files.
  • Environment variables.

Queries are made to cloud providers' IMDS endpoints.

Stage 2: Exfiltration

Data is encrypted with AES-256-CBC using RSA-4096 (hardcoded public key) and sent to models.litellm[.]cloud—an unofficial domain.

Google AdInline article slot

Stage 3: Persistence

In Kubernetes, the malware:

  • Reads all cluster secrets via service account token.
  • Creates privileged alpine:latest pods in kube-system with host FS mounted.
  • Installs backdoor ~/.config/sysmon/sysmon.py.
  • Registers systemd user service to run on all nodes.

Version 1.82.8 uses litellm_init.pth (34 628 bytes), executed automatically by Python. 1.82.7 features obfuscated code in proxy/proxy_server.py.

Detection and Remediation

Check systems with these commands:

Google AdInline article slot
# litellm version
pip show litellm

# Traces in uv cache
find ~/.cache/uv -name "litellm_init.pth"

# Backdoor
ls ~/.config/sysmon/sysmon.py
ls ~/.config/systemd/user/sysmon.service

In Kubernetes: kubectl get pods -n kube-system | grep node-setup-.

If versions 1.82.7/1.82.8 are installed:

pip uninstall litellm
rm -rf ~/.cache/uv
# Or: pip cache purge

Rollback to 1.82.6 (March 22, clean per Endor Labs). Rotate all credentials: SSH keys, cloud tokens, kubeconfig, API keys, DB passwords. Check CI/CD pipelines and Docker images over the past 24–48 hours.

TeamPCP Campaign Context

The attack is part of the TeamPCP campaign (since December 2025):

  • March 19: Trivy (75/76 tags of trivy-action).
  • March 21–23: KICS/Checkmarx, OpenVSX, CanisterWorm in npm (64+ packages).
  • March 24: litellm.

Common markers: AES-256 + RSA-4096, one public key. GitHub Issue #24512 in litellm was closed as “not planned” with suspicious comments—possible account compromise.

Indicators of Compromise

  • C2 domain: models.litellm[.]cloud.
  • File: litellm_init.pth.
  • SHA-256: ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg.
  • Backdoor: ~/.config/sysmon/sysmon.py.
  • K8s: pods node-setup-* in kube-system.

Key Points

  • Malicious code in .pth triggers without import, affecting all Python processes.
  • Exfiltration is encrypted; C2 is a fake litellm domain.
  • Kubernetes exploit provides full cluster access via privileged pods.
  • Part of TeamPCP chain: monitor Trivy, KICS, npm packages.
  • Rollback to 1.82.6 + full credential rotation is mandatory.

— Editorial Team

Advertisement 728x90

Read Next