On March 24, 2026, the widely-used LiteLLM Python package was compromised on PyPI. Versions 1.82.7 and 1.82.8 included malicious code designed to harvest cloud credentials, SSH keys, and Kubernetes secrets. Users who updated their environments with these versions should assume that sensitive data has been compromised.
The breach originated from a supply chain attack by the TeamPCP threat actor, which also targeted Trivy and KICS. The malware included a credential harvester and a Kubernetes lateral movement toolkit, enabling persistent backdoor access. This sophisticated campaign targets high-value credentials typically concentrated in widely adopted packages within AI ecosystems.
Trend Micro Research identified this issue after reports from multiple security vendors, including Endor Labs and JFrog. While the affected versions have been removed from PyPI, the potential damage to users' environments is significant if not addressed promptly. Engineers are advised to immediately delete the compromised package, rotate credentials across their teams, and conduct thorough security audits.
The incident highlights the critical need for robust dependency management practices in AI infrastructure to prevent unauthorized access to sensitive data.