LiteLLM Supply Chain Attack: Malicious Code Steals Credentials

March 24, 2026 Rachel Kim – Technology Editor Technology

Two versions of the open-source LiteLLM package, used to interface with multiple large language models, have been removed from the Python Package Index (PyPI) after being compromised with credential-stealing code. Versions 1.82.7 and 1.82.8 of LiteLLM contained malicious code within a file named litellm_init.pth, prompting their removal, according to Berri AI, the maintainer of the project.

The compromise appears to stem from a vulnerability within the Trivy vulnerability scanner, used in LiteLLM’s CI/CD pipeline, according to Krrish Dholakia, CEO of Berri AI. Trivy, an open-source project maintained by Aqua Security, is widely used to identify security vulnerabilities in software projects.

The attack began in late February with a misconfiguration in Trivy’s GitHub Actions environment, allowing attackers to steal a privileged access token. This token was then used to manipulate the CI/CD process, ultimately leading to the publication of malicious versions of both Trivy and, subsequently, LiteLLM. Attackers, identified as TeamPCP, initially published a compromised version of Trivy (v0.69.4) on March 19, followed by versions v0.69.5 and v0.69.6 as DockerHub images on March 22.

Aqua Security explained that the attackers employed a sophisticated technique, modifying existing version tags associated with the Trivy GitHub Action script to inject malicious code into ongoing CI/CD workflows. Because many pipelines rely on version tags rather than specific commit hashes, the malicious code was executed without triggering immediate alerts.

Dholakia stated that the attackers gained access to LiteLLM’s PyPI publishing token, stored as an environment variable within the project’s GitHub repository, and used it to upload the malicious versions. “We have deleted all our PyPI publishing tokens,” Dholakia said in a post on Hacker News. “Our accounts had 2fa, so it’s a poor token here. We’re reviewing our accounts, to witness how People can make it more secure (trusted publishing via JWT tokens, move to a different PyPI account, etc.).”

The GitHub issue report detailing the LiteLLM compromise was also targeted with a spam attack, with dozens of AI-generated comments flooding the thread in an apparent attempt to obscure legitimate discussion. Security researcher Rami McCarthy identified 19 of the 25 accounts involved in the spam campaign as also participating in the earlier Trivy compromise.

The Python Packaging Authority (PyPA) has issued a security advisory regarding the LiteLLM compromise, recommending that anyone who installed and ran the affected versions assume their credentials may have been exposed and take steps to revoke and rotate them. Berri AI has stated that all maintainer accounts have been rotated, with new accounts established for @krrish-berri-2 and @ishaan-berri. The company has also engaged Google’s Mandiant security team to assist with the investigation and remediation efforts.

Berri AI has indicated that no further LiteLLM releases will be made until a thorough security review of the entire build chain is completed.