# Malicious Code in LiteLLM: API Key Stealer Activates on Python Startup
The compromise of LiteLLM packages versions 1.82.7 and 1.82.8 endangered thousands of developers. Installed from PyPI (97 million downloads per month), the package contained a stealer that exfiltrates SSH keys, AWS, GCP, and Azure tokens, Kubernetes configurations, crypto wallets, and all environment variables. It's a gateway for 100+ LLM providers, including OpenAI and Anthropic. Compromised versions have been removed; the safe version is 1.82.6.
Attack Mechanism
The malicious code triggered automatically:
- Version 1.82.8: Launches on every Python startup via .pth files, regardless of whether the library is imported. Any script activated the stealer.
- Version 1.82.7: Activates only upon importing LiteLLM in code.
Collected data was encrypted and sent to models.litellm.cloud—a domain masquerading as litellm.ai. In 1.82.8, a bug in the malware triggered a fork bomb: spawning child processes on every Python launch, leading to RAM exhaustion and detection.
The compromise happened through a transitive dependency in the MCP plugin for IDE Cursor. Without the bug, the stealer would have run stealthily.
Attack Attribution
The attack is linked to the TeamPCP group. In one week in March 2026:
- Trivy (Aqua Security) compromise.
- Checkmarx and KICS.
- LiteLLM (BerriAI).
Pattern: Maintainer account hack, malicious version release, multi-stage stealer. In the BerriAI repo—commit "TeamPCP owns BerriAI", issue #24512 closed by attackers.
Recommendations for Checking and Recovery
- Replace all keys: SSH, AWS/GCP/Azure tokens, K8s configs, crypto wallets, environment variables.
- Check CI/CD: Any
pip install litellmwithout version pinning could have pulled the malicious version. - Audit machines: Everywhere the package was installed, even if unused.
- Monitor: Traffic to models.litellm.cloud.
LiteLLM manages LLM API keys, making it a prime target.
Key Takeaways
- Steals all environment variables on Python startup (1.82.8).
- 97 million downloads/month—scale of the threat.
- Automatic activation without importing the library.
- TeamPCP series of attacks on dev tools.
- Irony: Gateway for LLM keys compromised.
— Editorial Team
No comments yet.