You run pip install litellm, grab coffee, come back to your terminal. Everything looks normal. Your SSH keys — the digital master passwords to your servers — are already on their way to someone else's inbox.
On March 24, 2026, that exact scenario played out for real.
What happened
LiteLLM is the most popular open-source LLM proxy — a universal translator that lets your code talk to any AI model (Claude, GPT, Gemini) through a single interface. Roughly 3.4 million downloads per day. If you work with AI in Python, you've probably touched it.
A threat actor called TeamPCP uploaded two poisoned versions — 1.82.7 and 1.82.8 — straight to PyPI (Python Package Index — the app store where Python libraries live). The malware inside harvested SSH keys, cloud credentials, API tokens, and environment variables. Then it tried to spread across Kubernetes clusters — those networks of containers that run most cloud infrastructure.
The nasty part: version 1.82.8 used a .pth file. In Python, .pth files execute automatically when the interpreter starts. Not when you import a library. When any Python process launches. Your IDE's autocomplete? Compromised. Running pip install something-else? Compromised. The malware didn't need your permission or your attention.
How they got in
TeamPCP didn't hack LiteLLM directly. They played a longer game.
First, they backdoored Aqua Security's Trivy — a popular open-source security scanner — by poisoning one of its GitHub Actions (automated scripts that run inside CI/CD pipelines — the conveyor belts that build and ship code). The compromised Trivy ran inside LiteLLM's own CI pipeline, doing what it always does: scanning for vulnerabilities. Except now it was also quietly stealing PyPI credentials.
With those stolen credentials, TeamPCP uploaded malicious packages directly to PyPI. No pull request. No code review. No red flags. The security tool became the attack vector.
Datadog Security Labs traced this to a coordinated multi-week campaign that also hit Checkmarx's KICS scanner. TeamPCP weaponized the tools companies use to protect themselves.
Three hours was enough
The malicious versions sat on PyPI for roughly three hours — between 10:39 UTC and 16:00 UTC on March 24. The community flagged it, PyPI quarantined the package. The compromise didn't touch LiteLLM Cloud or official Docker images — they use pinned versions.
But three hours at 3.4 million downloads per day means thousands of installations. Anyone who ran pip install --upgrade litellm during that window — or had an automated pipeline that did it for them — got owned.
What to do if you're affected
If you installed or upgraded LiteLLM on March 24 between 10:39–16:00 UTC, congratulations — your weekend just got cancelled:
- Rotate everything. SSH keys, cloud tokens, API keys, database passwords — anything that lived in your environment variables
- Check for lateral movement. Especially inside Kubernetes clusters. The malware actively tried to spread
- Pin to version 1.82.6 or earlier until the dust fully settles
- Audit your CI/CD. If you use Trivy or Checkmarx KICS, verify your GitHub Actions haven't been tampered with
The pattern that should scare you
This attack isn't special because of LiteLLM. It's special because of the method. TeamPCP didn't find a zero-day. They didn't phish a maintainer. They compromised a security scanner — a tool that exists specifically to prevent this kind of thing — and used it as a skeleton key to everything downstream.
Supply chain attacks — where hackers target the tools and libraries your code depends on instead of attacking you directly — keep getting more creative. Trust chains in open source are long and fragile. You trust LiteLLM. LiteLLM trusts Trivy. Trivy trusts a GitHub Action. The GitHub Action trusts... who, exactly?
Pin your dependencies. Verify checksums. Don't auto-upgrade in production. And maybe treat your security scanner with the same suspicion you'd treat any other dependency — because apparently, it deserves it.
→ LiteLLM Security Update · Snyk Analysis · Datadog Security Labs · BleepingComputer
