Monday 30 March 2026Afternoon Edition

ZOTPAPER

News without the noise

Cybersecurity

Popular AI Library LiteLLM Compromised on PyPI With Credential Stealer That Activates on Install

The malicious payload hidden in base64 hoovered up SSH keys, cloud credentials, shell history, and database passwords

Zotpaper2 min read📰 4 sources
LiteLLM, a widely used Python library for interacting with multiple AI model providers, was compromised on the Python Package Index with a credential stealer that activated simply by installing the package, even without importing it in code.

The attack was discovered in LiteLLM version 1.82.8, which contained a malicious .pth file — a Python path configuration file that executes automatically when Python starts. The payload was encoded in base64 to avoid detection and would silently exfiltrate an extensive list of sensitive files from the victim's system.

The stolen data included SSH keys, Git credentials, AWS and Azure configuration files, Docker configs, Kubernetes configs, database passwords for MySQL and PostgreSQL, shell history files, npm tokens, and Vault tokens. The breadth of the credential harvesting suggests a sophisticated attacker targeting developer and DevOps environments specifically.

Version 1.82.7 also contained the exploit but in a less dangerous form — it was placed in the proxy server module, meaning the package had to be imported to trigger. The 1.82.8 version escalated the attack by using the .pth file mechanism, which runs at Python startup.

PyPI has quarantined the package, limiting the exposure window to a few hours. However, anyone who installed the affected versions during that period should assume their credentials have been compromised and rotate all secrets immediately.

Analysis

Why This Matters

LiteLLM is used by thousands of developers building AI applications. A supply chain compromise of this nature could have given attackers access to production infrastructure across hundreds of organisations.

Background

Supply chain attacks on package registries have been increasing steadily. The .pth file technique is particularly insidious because it bypasses the typical assumption that you need to import a package for its code to run.

Key Perspectives

This attack highlights the fragility of the Python packaging ecosystem. Despite improvements like package signing and provenance attestation, a compromised maintainer account or build pipeline can still inject malicious code into widely-trusted packages.

What to Watch

How the LiteLLM team responds regarding how the compromise occurred — whether it was a stolen maintainer token, a compromised CI pipeline, or something else — will be crucial for the broader open-source security community.

Sources