Descriptions:
A critical supply chain attack has compromised LiteLLM, one of the most widely used packages in the AI developer ecosystem with over 97 million monthly downloads. A malicious version — LiteLLM 1.82.8 — was published to the Python Package Index containing a hidden file called `litellm_init.pth` that executes automatically every time Python starts, regardless of whether LiteLLM is explicitly imported or even used.
Fahd Mirza breaks down the three-stage attack in detail: the malware first sweeps the host machine for SSH private keys, AWS, GCP, and Azure credentials, Kubernetes configs, API keys, Git credentials, shell history, database passwords, and crypto wallet files. It then encrypts the stolen data using AES-256 with a session key protected by a 4096-bit RSA public key — meaning only the attacker can decrypt it. Finally, everything is exfiltrated to a lookalike domain (models.llm.cloud) controlled by the attacker. If Kubernetes is running, it also attempts to install a persistent backdoor that survives reboots.
The attack extends well beyond direct LiteLLM users: DSPY and various MCP plugins list LiteLLM as a transitive dependency, so developers who installed those tools through Cursor or other environments may be affected without realizing it. The malware was only discovered because a bug caused runaway process spawning that crashed the victim’s machine. Mirza walks through immediate remediation: check for versions 1.82.7 or 1.82.8, uninstall, purge pip and UV caches, and rotate all credentials that may have been exposed.
📺 Source: Fahd Mirza · Published March 24, 2026
🏷️ Format: News Analysis
