On March 24, 2026, Scantist identified a major supply chain attack targeting LiteLLM, a widely used Python library for routing requests across multiple large language model providers. Two compromised releases, versions 1.82.7 and 1.82.8, were uploaded to PyPI containing credential-stealing malware capable of spreading across cloud infrastructure and Kubernetes clusters.
This incident highlights a growing trend: attackers are increasingly targeting AI infrastructure and developer tooling — environments that often hold high-value credentials and production access.
Security researchers discovered that LiteLLM versions 1.82.7 and 1.82.8 contained malicious code that did not exist in the upstream GitHub repository. This strongly suggests that publishing credentials were compromised and malicious packages were uploaded directly to PyPI, bypassing the normal release pipeline.
Version 1.82.8 introduced a particularly dangerous technique. A .pth file named litellm_init.pth was included in the package. Python automatically executes .pth files whenever the interpreter starts, meaning the malware ran every time Python launched — even if LiteLLM was never imported.
This turned the compromise into an environment-wide attack.
The malicious payload operated in three stages.
The malware collected sensitive information including:
It also queried cloud metadata endpoints and dumped environment variables, allowing attackers to harvest infrastructure-level secrets.
If Kubernetes access was detected, the malware:
Pods were deployed under kube-system using names like node-setup-*. This allowed full cluster compromise, which is especially dangerous for AI workloads that commonly run in Kubernetes environments.
The malware installed persistence files:
After installation, the backdoor:
This allowed long-term persistence even after the initial compromise.
Collected credentials were encrypted using AES-256 and protected with RSA-4096, packaged as tpcp.tar.gz, and exfiltrated to attacker-controlled domains:
These indicators match infrastructure previously associated with the TeamPCP threat actor, which has been conducting a multi-ecosystem supply chain campaign.
LiteLLM is widely used across AI applications and infrastructure. With tens of millions of downloads monthly, it often runs in environments containing:
Compromising LiteLLM gives attackers access to high-value environments. This illustrates the growing “security-tool paradox” — tools that require broad access to function become high-impact targets when compromised.
This attack appears to be part of a broader campaign spanning multiple ecosystems:
Attackers appear to be chaining credentials from one compromise to pivot into the next environment.
Engineers noticed Python processes crashing and spawning exponentially. The malicious .pth file triggered repeatedly, creating a fork bomb that crashed systems.
Ironically, this bug in the malware helped researchers detect the compromise early.
You may be affected if you installed LiteLLM on or after March 24, 2026 and are using:
The last known clean version is 1.82.6.
Check installed version:
pip show litellm
Search for malicious file:
find ~/.cache -name "litellm_init.pth"
Check persistence artifacts:
Check Kubernetes clusters:
kubectl get pods -n kube-system | grep node-setup
If Compromised
Assume credential exposure and rotate:
Remove persistence:
This attack highlights several important trends shaping today’s threat landscape. AI infrastructure is increasingly becoming a primary target, reflecting its growing role in modern systems and the value of the data it processes. At the same time, supply chain attacks continue to rise, allowing attackers to compromise widely used dependencies and propagate malicious code at scale. Security tools themselves are now high-value targets, as breaching them can provide deep visibility into protected environments. Additionally, credential chaining is becoming more common, enabling attackers to escalate access across systems by leveraging previously harvested secrets.
Researchers expect this activity to continue evolving, with more frequent compromises of package registries and the emergence of self-propagating supply chain worms capable of spreading across ecosystems with minimal friction. Attackers are also likely to adopt more decentralized command-and-control infrastructure, making detection and takedown significantly harder. At the same time, broader harvesting of production credentials will further amplify the impact of such campaigns, enabling deeper access into critical systems. Taken together, these developments suggest that the campaign is not an isolated incident but part of an ongoing and expanding threat.
The LiteLLM compromise is not just another package attack. It represents a shift toward targeting AI infrastructure and developer tooling at scale.
As AI adoption accelerates, dependency security becomes increasingly critical. Organizations must treat dependencies as part of their attack surface and implement stronger supply chain security practices.
At Scantist, we continue monitoring emerging supply chain threats and helping organizations detect malicious packages, secure dependencies, and protect AI infrastructure.
In the AI era, your dependencies are part of your attack surface.