LiteLLM Backdoor: 700M+ Installs at Risk

LiteLLM, a massive YC-backed AI gateway package, was compromised in a sophisticated PyPI supply chain attack (tracked as PYSEC-2026-2). Threat actors known as TeamPCP successfully published malicious versions (1.82.7 and 1.82.8) that deployed obfuscated .pth files to hijack Python interpreter startups. This allowed their malware variant to harvest and exfiltrate cloud credentials, SSH keys, and crypto wallet secrets without requiring active execution of the LiteLLM package itself.

700M+ Installs at Risk

LiteLLM is a crucial piece of modern AI infrastructure. Built as an open-source proxy server and Python SDK, it acts as an LLM Gateway, allowing developers to call over 100 different LLM APIs using standard OpenAI formatting. Backed by Y Combinator, it boasts over 40,000 GitHub stars and an astronomical 700 million lifetime PyPI downloads (averaging roughly 95 million downloads every month).

Most alarmingly, security research firm Wiz reports that LiteLLM is present in 36% of all cloud environments. Because it sits at the nexus of AI application routing, it routinely handles high-privilege environments rich in API keys, cloud access tokens, and enterprise secrets. This makes it an incredibly high-value target for supply chain attackers looking to deploy credential-harvesting malware at scale.

A Direct Strike on the PyPI Registry

The attackers did not compromise the LiteLLM GitHub repository itself. Instead, they directly published malicious wheels to PyPI. This bypasses typical code review and CI/CD checks, executing a direct strike on the package registry.

The core mechanism relied on a stealthy, well-known Python persistence trick: the .pth file exploit. Python automatically executes any .pth files located in the site-packages directory during interpreter startup. By injecting their malicious script into litellm/proxy/proxy_server.py and dropping a .pth file via the setup process, the attackers ensured their payload would run every single time Python launched, regardless of whether the user actually imported LiteLLM in their script.

Harvesting Cloud Credentials and Crypto Wallets

This payload acted as an indiscriminate credential vacuum. Once triggered by the .pth file, the highly obfuscated malware initiated a multi-stage exfiltration process:

• It harvested local environment variables and shell histories, searching for hardcoded API keys.
• It scanned the filesystem for SSH keys, AWS credentials, and .kube configurations.
• It specifically targeted Web3 infrastructure by scraping for browser extension wallets, local keyfiles, and mnemonic seed phrases.

The stolen data was base64-encoded and funneled to an attacker-controlled remote server. Interestingly, the malware contained a bug. Because the .pth launcher spawned a child Python process, and that child immediately triggered the same .pth file upon startup, it created an exponential fork bomb. This resource exhaustion crashed host machines, which ironically helped security researchers detect the infection early.

Immediate Steps for Remediation

If you have downloaded LiteLLM versions 1.82.7 or 1.82.8, consider your environment compromised. You must:

1. Immediately upgrade to LiteLLM version 1.82.9 or higher.
2. Rotate all API keys, AWS credentials, and SSH keys that were present on the infected machine.
3. Move any crypto assets secured by local keys on the infected device to new, clean wallets.

Securing the AI Supply Chain

This attack highlights exactly why AI infrastructure is becoming the primary target for supply chain compromises. Gateways like LiteLLM are single points of failure for massive amounts of credential data. As the ecosystem shifts toward autonomous AI agents, the stakes are exponentially higher. A hijacked dependency can compromise the agent's core identity, granting attackers complete access to the underlying infrastructure.