A supply chain attack targeting LiteLLM — one of the most widely used open-source libraries for routing requests across AI model providers — was discovered on March 24, 2026, sending shockwaves through the developer community. Security researcher Callum McMahon of Futuresearch found that versions 1.82.7 and 1.82.8 of the package on PyPI contained sophisticated malware capable of stealing credentials, installing persistent backdoors, and laterally spreading across Kubernetes clusters.
How the Attack Was Discovered
The attack came to light when a LiteLLM dependency was pulled into an MCP plugin running inside the Cursor code editor. The malicious package included a .pth file — litellm_init.pth — that executes automatically on every Python process startup when the package is installed. Due to a bug in the malware, the .pth launcher triggered a fork bomb that crashed the machine, inadvertently revealing the compromise.
McMahon's analysis found no corresponding tag or release on LiteLLM's official GitHub repository for either affected version, suggesting the packages were uploaded directly to PyPI while bypassing the normal release pipeline. The GitHub issue tracking the incident was subsequently closed as "not planned" and flooded with bot spam, leading McMahon to conclude that the LiteLLM author's account is "very likely fully compromised."
What the Malware Does
The payload operates in three stages. First, it collects sensitive files from the host: SSH private keys, .env files, AWS, GCP, and Azure credentials, Kubernetes configurations, database passwords, shell history, and crypto wallet files. It also queries cloud metadata endpoints to capture instance credentials.
Collected data is then encrypted using AES-256-CBC with a hardcoded 4096-bit RSA public key and exfiltrated to https://models.litellm.cloud/ — a domain unrelated to legitimate LiteLLM infrastructure.
Finally, if Kubernetes service account tokens are present, the malware reads all cluster secrets across all namespaces and attempts to deploy a privileged alpine:latest pod to every node in kube-system, each mounting the host filesystem to install a persistent systemd backdoor.
Remediation Steps
The compromised versions were yanked from PyPI by the afternoon of March 24 following reports to PyPI's security team. However, anyone who installed LiteLLM during the exposure window should:
- Check for affected versions: Run
pip show litellmand inspect UV caches forlitellm_init.pth - Remove and purge caches: Uninstall LiteLLM 1.82.7 and 1.82.8, then clear package manager caches
- Audit for persistence: Look for
~/.config/sysmon/sysmon.pyand associated systemd services - Rotate all credentials: Treat any secrets present on an affected machine as fully compromised
Broader Implications
The incident is being closely watched as a bellwether for AI-era supply chain risk. Nvidia AI Director Jim Fan called it "pure nightmare fuel," warning that AI agents are especially vulnerable because every file in their context window becomes a potential attack vector. A compromised agent with access to email, code repositories, and cloud APIs could impersonate its user across an entire organization.
Fan's suggestion: build lean, audited dependencies rather than relying on sprawling open-source chains. As AI-powered applications proliferate, the attack surface of third-party packages with elevated access to production infrastructure will only grow — making this incident a defining security moment for the industry.
