Dateline: March 25, 2026.
TeamPCP Didn’t Hack You. Your Package Manager Did the Work for Them.
You ran pip install, went for coffee, and came back compromised.
That’s not a metaphor. That’s what happened to developers across the world who installed LiteLLM versions 1.82.7 or 1.82.8 on Monday.
What Happened?
LiteLLM is an open-source Python library that serves as a gateway to multiple large language model providers via a single API. The package pulls in over 3.4 million daily downloads, with roughly 95 million in the past month.
On March 24, attackers pushed two backdoored versions to PyPI. Version 1.82.8 contained a malicious file called litellm_init.pth that executed automatically on every Python process startup. You didn’t even need to import the library for it to run.
The payload ran a three-stage attack: it harvested credentials from the host, encrypted them with a hardcoded RSA public key using AES-256-CBC, bundled everything into a tar archive, and posted it to an attacker-controlled domain.
What was in that archive? Essentially everything. SSH private keys, AWS access keys, GCP credentials, Azure tokens, Kubernetes configs, API keys in .env files, database passwords, and crypto wallet files. The attacker didn’t leave much behind.
The LiteLLM team believes a maintainer’s PyPI account was compromised and linked to the broader Trivy security incident, in which stolen credentials were reportedly used to gain unauthorized access to the LiteLLM publishing pipeline. Google’s Mandiant team has been brought in for forensic analysis.
The person who caught it? A developer whose machine crashed. Callum McMahon was using an MCP plugin inside Cursor that pulled in LiteLLM as a transitive dependency. When version 1.82.8 installed, the machine ran out of RAM and shut down. Without that bug in the attack code, it might have gone undetected for days or weeks.
What’s the Impact?
This wasn’t a niche threat. Widely trusted packages within the AI ecosystem are increasingly high-value targets in software supply chain attacks. LiteLLM sits at the center of the AI developer stack, used inside agent frameworks, MCP servers, and LLM orchestration tools. That means developers who never typed pip install litellm directly were still at risk — it came in through something else they trusted.
The attack has been claimed by TeamPCP, the same group behind the recent breach of Aqua Security’s Trivy vulnerability scanner, which cascaded into compromises of Aqua Security Docker images and the Checkmarx KICS project.
In environments where developers, CI/CD systems, and production infrastructure share access to sensitive credentials, a single compromised layer can quickly cascade into others.
Both malicious versions have since been pulled from PyPI. Version 1.82.6 is now the latest confirmed clean release.
What to Do Right Now
If you or your team work with AI tooling, treat this as a fire drill that already happened.
Check your installed version with pip show litellm. If you’re on 1.82.7 or 1.82.8, rotate every credential that was accessible from that machine — SSH keys, cloud provider tokens, database passwords, and API keys.
Beyond that: search for persistence artifacts like ~/.config/sysmon/sysmon.py and related systemd services, review Kubernetes clusters for unauthorized pods in the kube-system namespace, and inspect systems for suspicious files like /tmp/pglog and /tmp/.pg_state.
Longer term, consider pinning dependencies to verified versions and reviewing your supply chain exposure. Every package you install carries its entire dependency tree with it. A single compromised maintainer account can cascade through thousands of downstream projects within minutes. That’s not a hypothetical anymore.
