Supply Chain Attack Targets litellm Library to Steal Cloud Credentials and Hijack Kubernetes Clusters
Take action: If you use litellm in any project, check immediately whether you have version 1.82.7 or 1.82.8 installed. If so, isolate the affected systems, revert to a clean version, and rotate every credential on those machines (SSH keys, cloud tokens, API keys, database passwords, crypto wallets, all of it). Because this attack can spread through other tools that depend on litellm, also audit your broader Python environments and CI/CD pipelines for these versions, remove any persistence files (sysmon.py, sysmon.service), and check Kubernetes clusters for unauthorized pods.
Learn More
The hacker group TeamPCP, executed a supply chain attack on the Python library litellm, maintained by Berri AI. On March 24, 2026, two malicious versions (1.82.7 and 1.82.8) were published to PyPI. The breach originated from a poisoned Trivy security scan dependency in Berri AI’s CI/CD workflow which stole credentials and enabled the deployment of the malicious versions.
Vulnerabilities summary:
- litellm version 1.82.7 (CVSS score TBD) A malicious code injection in the proxy_server.py component that triggers during module import. The payload runs automatically when a process imports the litellm.proxy.proxy_server module, allowing for immediate credential theft. This version requires the library to be actively used by an application to activate the malware.
- litellm version 1.82.8 (CVSS score TBD) A malicious .pth file injection at the package root that executes during any Python interpreter startup. The malware runs even if the litellm library is never imported, as long as it exists in the site-packages directory. This version also included a bug that caused an exponential fork bomb, leading to system crashes on affected machines.
The payload executes a three-stage attack: the malware performs a sweep of the host system for sensitive information, steals the encrypted archive (tpcp.tar.gz)and uploaded it to models.litellm[.]cloud. If the environment contains Kubernetes service account tokens, the malware deploys privileged pods across all nodes to install a persistent system backdoor (sysmon.service). This backdoor then persistently polls checkmarx[.]zone/raw for additional payloads, utilizing a youtube[.]com URL as a kill switch to abort execution.
Exposed data items include:
- SSH private keys, configurations, and known hosts.
- Cloud provider credentials for AWS, GCP, and Azure.
- Kubernetes configurations and service account tokens.
- Environment variables (.env files) containing API keys and database passwords.
- Cryptocurrency wallet files for Bitcoin, Ethereum, Solana, and others.
- Shell history, Git credentials, and Docker configuration files.
The compromise affects litellm versions 1.82.7 and 1.82.8 installed via PyPI. Because litellm is a common dependency for AI orchestration tools and agent frameworks, many users may have installed the malicious code transitively through other software.
Organizations must immediately audit their environments for the affected versions, isolate affected hosts and revert to a known-clean release. Search for and remove the persistence file ~/.config/sysmon/sysmon.py and the associated sysmon.service systemd unit. Inspect the kube-system namespace for unauthorized pods and review cluster secrets for signs of access. Revoke and rotate all credentials present in the compromised environment including SSH keys, cloud tokens.
"The open source supply chain is collapsing in on itself," Gal Nagli, head of threat exposure at Google-owned Wiz, said in a post on X. "Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop."
