Executive Summary
On March 24, 2026, the popular Python library litellm (used to call 100+ LLM APIs using the OpenAI format) was compromised in a highly sophisticated, cascading software supply chain attack Snyk Advisory Database opens in a new tab. Rather than targeting the maintainers' workstations directly, the attackers executed a "cascading trust" attack Zscaler ThreatLabz opens in a new tab. By leveraging their earlier compromise of the widely adopted container scanner Trivy inside LiteLLM's GitHub Actions build pipeline, they scraped memory configurations to harvest LiteLLM's long-lived PyPI publishing API token Datadog Security Research opens in a new tab. Using the stolen credentials, they directly published two compromised versions to PyPI: 1.82.7 and 1.82.8 LiteLLM AI Official Advisory opens in a new tab. The backdoored wheels contained a malicious .pth startup hook file designed to execute automatically on Python startup-even if litellm was never explicitly imported Datadog Security Research opens in a new tab. The payload acted as a credential harvester, capturing environment variables, database keys, cloud IAM credentials, and AI provider tokens, exfiltrating the data to TeamPCP C2 servers. PyPI administrators intervened to delete the compromised versions. Use the .pth artifact, Python startup, and publishing-token audit recipes below to determine whether the compromised wheels executed and whether the stolen PyPI identity was reused.