Krux
March 28, 2026
LiteLLM Backdoor Harvested Credentials for 5.5 Hours
Published: March 28, 2026 at 12:38 AM
Updated: March 28, 2026 at 12:38 AM
100-word summary
Two malicious LiteLLM releases slipped onto PyPI on March 24, exfiltrating credentials to models.litellm.cloud before being pulled. Version 1.82.7 injected harvesting code into the proxy server. Version 1.82.8 went further, adding a startup script that ran every time Python launched and created fake system services to persist after detection. The attack window lasted just 5.5 hours, but anyone who ran pip install during that window is compromised. The breach ties to the TeamPCP campaign and a broader supply-chain attack on Trivy's publishing pipeline. LiteLLM paused all new releases while Mandiant investigates. If you touched 1.82.7 or 1.82.8, assume every secret on that machine leaked and rotate everything.
What happened
Two malicious LiteLLM releases slipped onto PyPI on March 24, exfiltrating credentials to models.litellm.cloud before being pulled. Version 1.82.7 injected harvesting code into the proxy server. Version 1.82.8 went further, adding a startup script that ran every time Python launched and created fake system services to persist after detection.
Why it matters
The attack window lasted just 5.5 hours, but anyone who ran pip install during that window is compromised. The breach ties to the TeamPCP campaign and a broader supply-chain attack on Trivy's publishing pipeline. LiteLLM paused all new releases while Mandiant investigates. If you touched 1.82.7 or 1.82.8, assume every secret on that machine leaked and rotate everything.