Back to Home

Stealer in LiteLLM: key theft on Python startup

Stealer of credentials discovered in LiteLLM 1.82.7 and 1.82.8 packages, activating on Python launch. TeamPCP attack affected thousands of developers. Replacement of all keys and CI/CD audit required.

LiteLLM under attack: stealer steals LLM keys
Advertisement 728x90

# Malicious Code in LiteLLM: API Key Stealer Activates on Python Startup

The compromise of LiteLLM packages versions 1.82.7 and 1.82.8 endangered thousands of developers. Installed from PyPI (97 million downloads per month), the package contained a stealer that exfiltrates SSH keys, AWS, GCP, and Azure tokens, Kubernetes configurations, crypto wallets, and all environment variables. It's a gateway for 100+ LLM providers, including OpenAI and Anthropic. Compromised versions have been removed; the safe version is 1.82.6.

Attack Mechanism

The malicious code triggered automatically:

  • Version 1.82.8: Launches on every Python startup via .pth files, regardless of whether the library is imported. Any script activated the stealer.
  • Version 1.82.7: Activates only upon importing LiteLLM in code.

Collected data was encrypted and sent to models.litellm.cloud—a domain masquerading as litellm.ai. In 1.82.8, a bug in the malware triggered a fork bomb: spawning child processes on every Python launch, leading to RAM exhaustion and detection.

Google AdInline article slot

The compromise happened through a transitive dependency in the MCP plugin for IDE Cursor. Without the bug, the stealer would have run stealthily.

Attack Attribution

The attack is linked to the TeamPCP group. In one week in March 2026:

  • Trivy (Aqua Security) compromise.
  • Checkmarx and KICS.
  • LiteLLM (BerriAI).

Pattern: Maintainer account hack, malicious version release, multi-stage stealer. In the BerriAI repo—commit "TeamPCP owns BerriAI", issue #24512 closed by attackers.

Google AdInline article slot

Recommendations for Checking and Recovery

  • Replace all keys: SSH, AWS/GCP/Azure tokens, K8s configs, crypto wallets, environment variables.
  • Check CI/CD: Any pip install litellm without version pinning could have pulled the malicious version.
  • Audit machines: Everywhere the package was installed, even if unused.
  • Monitor: Traffic to models.litellm.cloud.

LiteLLM manages LLM API keys, making it a prime target.

Key Takeaways

  • Steals all environment variables on Python startup (1.82.8).
  • 97 million downloads/month—scale of the threat.
  • Automatic activation without importing the library.
  • TeamPCP series of attacks on dev tools.
  • Irony: Gateway for LLM keys compromised.

— Editorial Team

Advertisement 728x90

Read Next