Threat Landscape
← Back to Blog
Threat Intelligence

Critical Credential Stealer Discovered in LiteLLM PyPI Package

TLT
Threat Landscape Team
2026-03-257 min read

The open-source AI ecosystem has been hit with a critical software supply chain attack. The popular Python package litellm—a library used by thousands of developers to simplify API calls to various LLM providers—was recently compromised on PyPI.

Specifically, versions 1.82.8 and 1.82.7 were injected with a highly aggressive, double base64-encoded credential-stealing payload. If your development environment, CI/CD pipeline, or production server installed these versions, consider your environment variables, cloud credentials, and SSH keys completely compromised.

In this post, we break down the malicious behavior of this compromised package, analyze the attacker's tradecraft using MITRE ATT&CK® Tactics, Techniques, and Procedures (TTPs), and provide immediate remediation steps.

The Attack Vector: No Import Required

What makes this attack particularly insidious is its trigger mechanism. Many Python developers assume that malicious code in a package only executes if the package is explicitly imported (e.g., import litellm).

The attackers bypassed this entirely by utilizing Python's .pth (path configuration) file feature. In version 1.82.8, the threat actors included a malicious file named litellm_init.pth (34,628 bytes) in the package's site-packages/ directory.

Python's interpreter is designed to automatically execute .pth files during startup. This means that merely running the Python interpreter—even for an entirely unrelated script—executes the payload.

Version 1.82.7 lacks the .pth file, but the same malicious payload was injected directly into the package's source code at proxy/proxy_server.py.

MITRE ATT&CK® TTP Breakdown

The attacker's malware executes a sophisticated two-stage process: Information Collection followed by Encryption & Exfiltration. Below is a mapping of the attack lifecycle to MITRE ATT&CK TTPs.

Initial Access & Execution

  • T1195.002 - Compromise Software Supply Chain: The attackers compromised the PyPI repository of litellm to distribute the malicious wheels to downstream users.
  • T1059.006 - Command and Scripting Interpreter (Python): The core malware is a Python script invoked seamlessly in the background.
  • T1546 - Event Triggered Execution: Utilizing the Python interpreter startup sequence via litellm_init.pth to achieve automatic execution without user interaction.

Defense Evasion

  • T1027 - Obfuscated Files or Information: To avoid detection by static analysis and naive code grepping, the attackers double base64-encoded the Python payload.

Discovery

Once executed, the script aggressively maps out the host environment:

  • T1082 - System Information Discovery: Captures hostname and uname -a.
  • T1016 - System Network Configuration Discovery: Captures ip addr and ip route.
  • T1033 - System Owner/User Discovery: Captures whoami.

Credential Access & Collection

The malware acts as an omnivorous credential vacuum, targeting everything from developer secrets to crypto wallets.

  • T1552.007 - Credentials in Environment Variables: Executes printenv to capture all API keys, access tokens, and secrets stored in the environment.
  • T1552.001 - Credentials in Files: The script hunts for a massive list of sensitive files, including:
    • SSH Keys: ~/.ssh/id_rsa, id_ed25519, authorized_keys, etc.
    • Cloud & Container Credentials: AWS (~/.aws/credentials), GCP, Azure, Docker (~/.docker/config.json), and Kubernetes configs (~/.kube/config, service account tokens).
    • Dev & CI/CD Secrets: .git-credentials, terraform.tfvars, .gitlab-ci.yml, Jenkinsfile.
    • Cryptocurrency Wallets: ~/.bitcoin/, ~/.ethereum/keystore/, ~/.config/solana/, etc.
    • Shell History: ~/.bash_history, ~/.zsh_history, ~/.mysql_history.
  • T1005 - Data from Local System: Consolidates all collected files and environment outputs into a temporary file.

Exfiltration

To safely exfiltrate data without being intercepted by network monitoring, the attacker employs strong cryptography and domain typosquatting.

  • T1560 - Archive Collected Data: The collected data is packed into a tarball named tpcp.tar.gz.
  • T1480.001 - Execution Guardrails / Environmental Keying (Custom Encryption): The payload generates a random 32-byte AES-256 session key to encrypt the data. This AES key is then encrypted using a hardcoded 4096-bit RSA public key, ensuring only the attacker (who holds the private key) can decrypt the stolen data.
  • T1567 - Exfiltration Over Web Service: The malware uses curl to silently HTTP POST the tpcp.tar.gz archive to an attacker-controlled server.
  • T1036 - Masquerading (Typosquatting): The exfiltration destination is https://models.litellm.cloud/. Notice the .cloud TLD—the official domain for the project is litellm.ai. This helps the outbound traffic blend in during casual network analysis.

Impact

The blast radius of this supply chain attack is immense. AI developers frequently store high-value API keys (OpenAI, Anthropic, AWS, GCP) in environment variables. Because the attack targets Linux/Unix environments and explicitly looks for Kubernetes, Docker, and CI/CD secrets, the impact scales from individual compromised developer workstations up to full-scale production environment takeovers.

If litellm==1.82.8 or 1.82.7 was installed in your infrastructure, you must assume full compromise of all secrets accessible to the user running the Python process.

Immediate Remediation Steps

If you are using litellm, take the following steps immediately:

  1. Identify Compromise: Check your site-packages/ directory for the presence of litellm_init.pth or verify if you have litellm version 1.82.7 or 1.82.8 installed.
  2. Quarantine & Downgrade: Pin your litellm dependency to a known safe version (e.g., <= 1.82.6 or 1.81.13). Rebuild affected Docker containers from scratch.
  3. Rotate All Exposed Credentials (CRITICAL): Because exfiltration happens instantly upon Python startup, you must assume all environment variables, SSH keys, AWS/GCP/Azure profiles, and Kubernetes tokens present on the affected machine have been compromised. Rotate them immediately.
  4. Network Auditing: Review network logs and SIEM alerts for outbound HTTP POST requests to models.litellm.cloud to identify exactly which machines successfully exfiltrated data.

Conclusion

The LiteLLM compromise is a textbook example of the fragility of the modern open-source software supply chain. Attackers are increasingly targeting the AI development ecosystem due to the high density of valuable API keys and cloud credentials used in these workflows. Furthermore, the abuse of Python .pth files to achieve persistence and execution outside of explicit user imports highlights the need for continuous, deep monitoring of runtime environments.

Sources: BerriAI/litellm GitHub Issue #24512

Ready to Transform Your Threat Intelligence?

See how Threat Landscape can reduce alert fatigue and improve your security operations

ContactMore Articles