Overview
- Two LiteLLM packages on PyPI, versions 1.82.7 and 1.82.8, shipped with a backdoor and were later removed, with guidance to downgrade to 1.82.6 and to check for a litellm_init.pth file.
- The malware ran in three steps that stole credentials, moved across Kubernetes clusters, and planted a persistent backdoor masked as a system telemetry service.
- Attackers hid code in 1.82.7 that executed when users imported proxy_server.py and shifted in 1.82.8 to a Python .pth file that ran on every interpreter start.
- Stolen data included SSH keys, cloud credentials for AWS and GCP, Kubernetes secrets, crypto wallets, and CI/CD tokens, which were sent to a look‑alike domain using strong encryption.
- Endor Labs linked the operation to the group TeamPCP, which allegedly abused a prior Trivy compromise in LiteLLM’s CI/CD, prompting calls to rotate all keys and audit recent pipeline runs.