The AI Library That Holds All Your API Keys Was Just Backdoored

What Happened

On March 24, 2026, two malicious versions of LiteLLM (1.82.7 and 1.82.8) appeared on PyPI, the Python Package Index. The compromised packages contained a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. PyPI quarantined the package approximately three hours after publication.

Three hours does not sound like a long time. But LiteLLM averages 3.4 million downloads per day. That is roughly 425,000 downloads in a three hour window. Not all of those triggered the malicious payload, but any automated CI/CD pipeline, Docker build, or development environment that pulled the latest version during that window was potentially compromised.

Why LiteLLM Matters

LiteLLM is a unified interface for calling large language model APIs. Developers use it to switch between OpenAI, Anthropic, Google, and dozens of other providers without rewriting code. That means LiteLLM typically has access to every API key in an organization's AI stack.

According to Wiz, LiteLLM is present in 36% of cloud environments. Compromising it is not like backdooring a niche utility. It is like poisoning a water main that feeds a third of the neighborhood.

The Three Stage Payload

The malicious package used Python's .pth file mechanism, which executes arbitrary code during interpreter initialization. This means the payload ran whenever Python was invoked on the system, whether or not the developer explicitly imported LiteLLM.

The attack consisted of three components:

• Credential harvester: Swept SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes secrets, cryptocurrency wallets, and .env files from the host machine.
• Kubernetes lateral movement: Deployed privileged pods to every node in the cluster, extending the attacker's reach across the entire infrastructure.
• Persistent backdoor: Installed a systemd service that polled for additional payloads, ensuring the attacker could maintain access even after the malicious package was removed.

The TeamPCP Campaign

The LiteLLM compromise is not an isolated incident. It is part of a coordinated multi week supply chain campaign by a threat actor tracked as TeamPCP. The group first compromised Aqua Security's Trivy scanner on March 19, then used stolen CI/CD credentials from that attack to pivot into Checkmarx's GitHub Actions and LiteLLM's PyPI publishing pipeline.

The chain of compromise illustrates how a single breach in a CI/CD tool can cascade across the software supply chain. Trivy is a security scanner. Compromising it gave TeamPCP access to the build pipelines of every project that used Trivy for vulnerability scanning, including LiteLLM. The group has since expanded its reach further, planting malware inside a Telnyx telephony package on PyPI using the same supply chain tactics.

What You Should Do

If your systems pulled LiteLLM versions 1.82.7 or 1.82.8 between their publication and PyPI's quarantine on March 24, treat every credential on that machine as compromised:

• Rotate all API keys, SSH keys, and cloud credentials stored on or accessible from the affected machine.
• Check for unauthorized systemd services that may indicate the persistent backdoor.
• Audit Kubernetes clusters for pods deployed by an unfamiliar service account.
• Review your CI/CD pipeline to determine if Trivy was used in your build process, which may have been the initial entry point.
• Pin dependencies to specific versions rather than using floating version ranges in production environments.

The broader lesson is that supply chain attacks are becoming industrialized. Just days after this incident, North Korean hackers backdoored the axios npm package, which receives over 100 million weekly downloads. A single compromised build tool can propagate malware across hundreds of downstream projects. The same principle applies to browser extensions that steal credentials and any other software that sits between you and your sensitive data.