LiteLLM Hit by Supply Chain Attack: Credential-Stealing Code Found on PyPI

Python snake logo with cracked code and warning lock representing LiteLLM supply chain attack

Two versions of LiteLLM, a popular open-source Python interface for accessing multiple large language models, have been yanked from PyPI after a supply chain attack injected them with credential-stealing malware. If you use LiteLLM, you need to check your installations immediately.

What Happened

LiteLLM versions 1.82.7 and 1.82.8 were compromised with malicious code hidden in a component file called litellm_init.pth. The code was designed to steal credentials from any environment where LiteLLM was running — meaning API keys, database passwords, and cloud access tokens could all have been exfiltrated.

The attack originated from a compromise of Trivy, an open-source vulnerability scanner maintained by Aqua Security that many projects include in their CI/CD pipelines as a security measure. The irony is hard to miss: a security tool became the attack vector.

How the Attack Worked

Attackers exploited a misconfiguration in Trivy’s GitHub Actions environment in late February to steal a privileged access token. They then used this token to publish malicious Trivy releases (v0.69.4, v0.69.5, and v0.69.6).

The clever part: instead of just uploading new versions, the attackers modified existing version tags in trivy-action. Because many CI/CD pipelines rely on version tags rather than pinned commits, these pipelines continued running without any indication the underlying code had changed.

This allowed attackers to obtain LiteLLM’s PyPI publishing token (stored as a GitHub repo environment variable) and push compromised versions directly to PyPI.

What You Should Do

The Python Packaging Authority (PyPA) has published a security advisory: “Anyone who has installed and run the project should assume any credentials available to the LiteLLM environment may have been exposed, and revoke/rotate them accordingly.”

Specifically:

1. Check if you have LiteLLM v1.82.7 or v1.82.8 installed
2. Rotate ALL credentials that were accessible in that environment
3. Review your CI/CD pipelines for Trivy usage and pin to commit hashes, not version tags
4. Update to the latest clean version of LiteLLM

The Bigger Lesson

This attack highlights a terrifying truth about modern software supply chains: even security tools can become weapons. The attackers didn’t need to compromise LiteLLM directly — they compromised a security scanner used in its CI/CD pipeline, which then gave them the keys to publish malicious code to PyPI. A spam attack on the GitHub vulnerability report using AI-generated comments added another layer of obfuscation.

The Bottom Line

If you’re using LiteLLM in production — and many AI applications do, since it’s a popular interface for accessing models from OpenAI, Anthropic, and others — assume your credentials are compromised until proven otherwise. Pin your CI/CD dependencies to commit hashes, not version tags. And remember: the next supply chain attack might come through the tool you trust to protect you.