LiteLLM Supply Chain Attack: Advisory

What Happened?

On March 24, 2026, the popular Python library LiteLLM was targeted in a supply chain attack. Attackers published malicious versions of the package (1.82.7 and 1.82.8) on PyPI, the Python Package Index. These versions contained hidden code designed to steal credentials and secrets from any system where the package was installed.

How Did This Happen?

• Attackers compromised a security tool (Trivy) used in LiteLLM’s development process, gaining access to LiteLLM’s publishing credentials.
• They then uploaded malicious versions of LiteLLM to PyPI, which were automatically downloaded by users and systems.
• The malicious code was designed to collect and send sensitive information (like API keys, passwords, and environment variables) to an attacker-controlled server.

‍

Who Is Affected?

• Any individual or organization that installed or used LiteLLM versions 1.82.7 or 1.82.8 between March 24, 2026, and the time the packages were removed from PyPI.
• Systems where these versions were installed should be considered compromised.

‍

‍

How to Check If You Are Affected

1. Check System-Wide Installation

Run the following command in your terminal or command prompt to check if LiteLLM is installed system-wide:

pip show litellm

• If the version is 1.82.7 or 1.82.8, your system is affected.

‍

2. Check User-Level Installation

If you installed LiteLLM using --user, run:

pip show litellm --user

• If the version is 1.82.7 or 1.82.8, your user environment is affected.

‍

3. Check All Virtual Environments

LiteLLM may be installed in one or more Python virtual environments. To check each virtual environment:

List all virtual environments

• Common locations for virtual environments include:
  
  • ~/venvs/ (or similar custom directories)
  • ./venv (in project directories)
  • .venv (in project directories)

Activate and check each virtual environment

For each virtual environment, run:

source /path/to/venv/bin/activate  # On Linux/Mac

.\path\to\venv\Scripts\activate    # On Windows

pip show litellm

• If the version is 1.82.7 or 1.82.8, that virtual environment is affected.

‍

4. Search for Malicious Files

The attackers added a malicious file named litellm_init.pth. To check for its presence system-wide and in all virtual environments, run:

# On Linux/Mac:

sudo find / -name "litellm_init.pth" 2>/dev/null

‍

# On Windows (PowerShell):

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Filter "litellm_init.pth"

‍

• If this file is found anywhere, your system or environment is compromised.

‍

What to Do If Affected

1. Remove the Malicious Package

Uninstall the compromised version from all locations (system, user, and virtual environments):

pip uninstall litellm

‍

2. Rotate All Credentials

• Rotate all API keys, passwords, and secrets that were present on the affected system or environment.
• This includes cloud provider credentials, database passwords, and any other sensitive information.

‍

3. Scan for Additional Malware

• Use a reputable antivirus or endpoint detection tool to scan your system for further compromise.
• Check network logs for connections to suspicious domains, especially models.litellm.cloud.

‍

4. Restore from Backup (If Possible)

• If you have a clean backup of your system or environment, restore it after ensuring the malicious package is removed.

‍

5. Monitor for Unusual Activity

• Watch for unauthorized access or unusual behavior in your accounts and systems.

‍

How to Prevent Future Incidents

• Verify package integrity: Always check the official GitHub repository or trusted sources before installing updates.
• Use dependency management tools: Tools like pip-audit or snyk can help detect compromised packages.
• Limit permissions: Avoid running packages with unnecessary privileges or in environments with sensitive credentials.

‍

‍

Q&A: Am I Affected?

Q: I used a package with LiteLLM. Can I be affected?

• A: Yes, if the package you used depended on LiteLLM versions 1.82.7 or 1.82.8, your environment may be compromised. Check the version of LiteLLM installed in your environment.

‍

Q: I developed a package with LiteLLM. Can I be affected?

• A: Yes, if your development environment or CI/CD pipeline used LiteLLM versions 1.82.7 or 1.82.8, your credentials and secrets may have been exposed. Check all environments where your package was developed or tested.

‍

Q: I deployed LiteLLM as a proxy. Can I be affected?

• A: Yes, if you deployed LiteLLM versions 1.82.7 or 1.82.8 as a proxy, your proxy server and all credentials it handled are at risk. You should immediately rotate all API keys and secrets and audit your proxy logs.

‍

Q: I used LiteLLM as a proxy via LlamaIndex. Can I be affected?

• A: Yes, if LlamaIndex or your project pulled in LiteLLM versions 1.82.7 or 1.82.8, your environment may be compromised. Check the installed version of LiteLLM in your LlamaIndex environment.

‍

Q: I used LiteLLM via Ollama. Can I be affected?

• A: Ollama does not directly use LiteLLM, but if you integrated LiteLLM separately in your Ollama setup and used versions 1.82.7 or 1.82.8, you may be affected. Check your environment for the malicious LiteLLM versions.

‍

Q: What popular services use LiteLLM and were affected?

• A: LiteLLM is used by many AI agent frameworks and services, including CrewAI, DSPy, Browser-Use, and Opik. If these services or any other tools you use depend on LiteLLM, check with the service provider for updates on their security status and recommended actions.

‍

‍

Additional Resources

• LiteLLM Security Update
• Snyk Technical Breakdown
• The Hacker News Coverage

‍

Note: LiteLLM has paused new releases until a full security review is completed. Only use versions confirmed as safe by the official LiteLLM team.