The popular litellm Python package was compromised on PyPI, with versions 1.82.7 and 1.82.8 confirmed to contain malicious code designed to exfiltrate sensitive data. Any environment updated on or after March 24, 2026, risks having credentials that have been compromised by the attackers.
An attacker hijacked the maintainer accounts for the litellm project, bypassing standard GitHub release protocols to push compromised versions directly to PyPI. Because litellm sits between developers and nearly every major LLM endpoint, it is frequently pulled in as a dependency, allowing the payload to spread across infrastructure.
The payload acts as a sophisticated, cloud-centric stealer that executes automatically when the Python interpreter starts. It extracts AWS, GCP, and Azure configurations and queries internal cloud metadata to hijack instance roles, effectively granting unauthorized access to specific instances.
In Kubernetes environments, the attack persists if it detects a service account token, further expanding the attacker's access. To mitigate this threat, organizations should pin dependencies to cryptographic hashes and validate releases through external infrastructure to test for supply chain malware before deployment.