Overview
- Malicious LiteLLM releases 1.82.7 and 1.82.8, published Tuesday, were quarantined by PyPI within about three hours and 1.82.6 is cited as the last clean version.
- Version 1.82.7 ran its payload when litellm.proxy was imported, while 1.82.8 planted a .pth file that Python runs at every interpreter start, which means code executed even if LiteLLM was never used.
- The payload swept SSH keys, cloud credentials for AWS, GCP and Azure, Kubernetes secrets, database configs, .env files and crypto wallets, then encrypted and sent the bundle (tpcp.tar.gz) to models.litellm.cloud and pulled follow‑on code from checkmarx.zone.
- Researchers link the breach to TeamPCP and to a Trivy CI/CD compromise that leaked a PyPI publish token, with overlapping indicators like the sysmon systemd backdoor, 50‑minute beaconing and reused command‑and‑control domains.
- LiteLLM maintainers deleted publish tokens, rotated credentials and brought in incident responders, while vendors urge users to remove affected versions, rotate all secrets, hunt for rogue Kubernetes pods and persistence, and adopt short‑lived OIDC Trusted Publishing with pinned builds.