Overview
- Attackers published two malicious LiteLLM versions on PyPI using the project’s real credentials, and the packages were quarantined soon after they were reported.
- The breach followed a cascade that began with a poisoned Trivy security scanner used in CI, which exfiltrated publish credentials later used to push the backdoored releases.
- Version 1.82.7 executed on import of a LiteLLM module, and version 1.82.8 added a .pth file that runs on every Python interpreter start, including installs and IDE language servers.
- The payload scraped SSH keys, cloud and Kubernetes secrets, and more, then attempted cluster-wide lateral movement and set up persistence under ~/.config/sysmon/ with downloads in /tmp/pglog.
- Researchers reported more than 40,000 downloads before removal, and guidance urges uninstalling 1.82.7 and 1.82.8, pinning 1.82.6, rotating all credentials, and scanning for .pth files and persistence artifacts.