LiteLLM Supply Chain Attack: What Happened and How to Respond

A threat actor known as TeamPCP compromised the PyPI publishing credentials for LiteLLM on March 24, 2026. The group published backdoored versions 1.82.7 and 1.82.8 that contained malicious code in the wheel files. The library routes requests to large language model providers and averages 95 million monthly downloads. Version 1.82.6 is the last release known to be unaffected. The breach started with the compromise of the Trivy scanner in LiteLLM's CI/CD pipeline between March 19 and 23. Attackers exfiltrated PyPI tokens and used them to upload the malicious packages. At 10:39 a.m. they released version 1.82.7 with a payload in proxy_server.py. Version 1.82.8 followed at 10:52 a.m. and introduced execution via the litellm_init.pth file on interpreter start. Security researcher Callum McMahon opened GitHub issue 24512 at 11:48 a.m. after observing a fork bomb crash on his development machine. The attacker closed the issue and flooded it with bot comments at 12:44 p.m. PyPI administrators responded at 1:38 p.m. The malware performs a three stage attack after installation. It harvests credentials from environment variables and files including those for OpenAI, Anthropic, Azure, and AWS or GCP. In Kubernetes environments it seeks lateral movement using service account tokens. It then installs a systemd backdoor for persistence and beaconing to a TeamPCP command and control server. Users should check installed versions with pip show litellm and look for upgrades since March 24. High memory usage from the fork bomb serves as a behavioral indicator. Mitigation requires downgrading to 1.82.6, clearing CI/CD caches, auditing systemd services, and rotating all LLM and cloud credentials.