Two versions of LiteLLM, an open source interface for accessing multiple large language models, have been removed from the Python Package Index (PyPI) following a supply chain attack that injected them with malicious credential-stealing code. The incident marks a critical inflection point in the current threat landscape: "The open source supply chain is collapsing in on itself," Gal Nagli, head of threat exposure at Google-owned Wiz, said. "Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop."
On March 24, 2026, two versions of the litellm Python package on PyPI were found to contain malicious code. The packages (versions 1.82.7 and 1.82.8) were published by a threat actor known as TeamPCP after they obtained the maintainer's PyPI credentials through a prior compromise of Trivy, an open source security scanner used in LiteLLM's CI/CD pipeline. The package receives approximately 97 million downloads per month.
What unfolds is a stark reminder that even tools explicitly designed for security can become vectors for widespread harm. LiteLLM is an API key management gateway. The attacker targeted the one package that, by definition, has access to every LLM API key in the organisation. The malware payload itself demonstrates escalating sophistication across the two compromised versions. Version 1.82.7 had a base64-encoded payload embedded directly inside litellm/proxy/proxy_server.py that executes when anything imports litellm.proxy. Version 1.82.8 added litellm_init.pth to site-packages. The .pth mechanism fires on every Python interpreter startup with no import required, including when pip, python -c, or an IDE's language server starts Python.
The original point of entry was a misconfiguration. The malware campaign began in late February, when the attackers took advantage of a misconfiguration in Trivy's GitHub Actions environment to steal a privileged access token that allowed the manipulation of CI/CD, according to Aqua Security. From there, the attack branched in ways that illustrate how incomplete incident response can create cascading vulnerabilities. The attacker had valid credentials with sufficient privileges to push code and rewrite tags. The security vendor acknowledged that the latest attack stemmed from incomplete containment of an earlier incident.
The campaign itself is now spanning multiple software ecosystems. TeamPCP has waged a relentless supply chain attack campaign that has spawned five ecosystems, including GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, to expand its targeting footprint and bring more and more systems into its control. The LiteLLM attack is the third major wave in TeamPCP's March 2026 campaign. Trivy provided initial access. CanisterWorm spread through the npm ecosystem. Now a malicious PyPI package reaches a different but overlapping audience: AI and ML developers who use LiteLLM to integrate language models into applications. These pipelines routinely have access to cloud credentials, model API keys, and production infrastructure.
The response from affected projects has been immediate but reactive. The Python Packaging Authority (PyPA) has published a security advisory about the LiteLLM compromise. "Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly," the advisory says.
Defenders and security teams face a hard truth here. A single compromised maintainer account can cascade through thousands of downstream projects in minutes, and the window between compromise and detection is shrinking but still far too wide. The attack vector itself reveals why traditional dependency management strategies are insufficient. Pinning versions helps, but only if you're pinning to a known-good version before the compromise. Lockfiles help, but only if you don't update them blindly.
For organisations operating at scale, the implications are severe. LiteLLM is present in 36% of cloud environments, signifying the potential for widespread impact. The attackers demonstrated they understand the value chain: targeting not just security tools, but the tools that security teams rely upon. The message from the threat actor, left in defaced repositories, indicates confidence in the scope of ongoing operations. Socket said: "TeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems." The threat actor added: "The snowball effect from this will be massive, we are already partnering with other teams to perpetuate the chaos, many of your favourite security tools and open-source projects will be targeted in the months to come so stay tuned."
The architecture of open source dependency chains means that even organisations with strong internal security disciplines can be compromised through a single weak link far upstream in the supply graph. The upgrade from npm to PyPI, and from module-level hooks to .pth auto-execution, shows an actor that is actively evolving their delivery mechanisms across ecosystems while keeping the same core payload and infrastructure. Reasonable people disagree on whether the open source model as currently practised can sustain itself under this level of targeting. What's no longer debatable is the scale of the problem or the speed at which it propagates.