The LiteLLM Supply Chain Attack: What Every AI Team Needs to Know
On March 24, 2026, two malicious versions of LiteLLM — the most popular open-source LLM proxy with 3.4 million daily downloads — were published to PyPI. For approximately three hours, anyone who ran pip install litellm received a backdoored package that harvested SSH keys, cloud credentials, Kubernetes tokens, and environment variables.
The attack was Phase 9 of an ongoing campaign by the threat actor TeamPCP, which had already compromised Trivy (Aqua Security's vulnerability scanner), Checkmarx KICS, and 80+ npm packages in the preceding five days.
This wasn't a theoretical vulnerability. This was active, weaponized credential theft targeting AI infrastructure at scale.
Timeline of the Attack
| Date | Event |
|---|---|
| Mar 19 | TeamPCP compromises Trivy repository via stolen GitHub credentials |
| Mar 20–22 | Self-propagating npm worm deployed across 45+ packages |
| Mar 23 | Checkmarx GitHub Actions and OpenVSX extensions compromised |
| Mar 24, 10:39 UTC | Malicious LiteLLM v1.82.7 published to PyPI |
| Mar 24, ~12:00 UTC | Malicious LiteLLM v1.82.8 published (more dangerous — auto-executes on import) |
| Mar 24, 16:00 UTC | PyPI quarantines both versions (~3 hour exposure window) |
| Mar 25 | Community detection scripts released |
| Mar 26 | Additional C2 domain identified |
| Mar 27 | LiteLLM publishes safe version checksums; Mandiant engaged for forensics |
What the Malicious Code Did
The attack was sophisticated and multi-staged. Here's the technical breakdown:
Stage 1: Initial Execution
Version 1.82.7 embedded malicious code inside proxy_server.py — it only executed when the LiteLLM proxy module was imported.
Version 1.82.8 was significantly more dangerous. It included a litellm_init.pth file — a Python mechanism where executable lines in .pth files run automatically during interpreter startup. This means any Python process on the system would trigger the payload, not just LiteLLM imports.
Stage 2: Credential Harvesting
The payload systematically collected:
| Target | What Was Stolen |
|---|---|
| Environment variables | API keys, database passwords, secrets |
| SSH keys | ~/.ssh/id_rsa, ~/.ssh/id_ed25519, authorized_keys |
| Cloud credentials | AWS (~/.aws/credentials), GCP service accounts, Azure tokens |
| Kubernetes | Service tokens, kubeconfig, namespace secrets |
| CI/CD | GitHub tokens, GitLab CI variables, Jenkins credentials |
| Application secrets | .env files, database connection strings |
Stage 3: Encrypted Exfiltration
Harvested data was encrypted with AES-256 session keys wrapped with RSA-4096 and exfiltrated via POST requests to models.litellm[.]cloud — a domain designed to look like legitimate LiteLLM infrastructure. The request header X-Filename: tpcp.tar.gz was the signature of TeamPCP's tooling.
Stage 4: Persistence & Lateral Movement
The malware installed:
- Systemd backdoor at
~/.config/sysmon/sysmon.pywith a persistent user unit - C2 polling to
checkmarx[.]zone/rawfor follow-on payloads - Kubernetes propagation — when service tokens were available, it created privileged
node-setup-*pods for cluster-wide compromise
Stage 5: Destructive Payload
In a particularly alarming detail: the Kubernetes payload included geolocation-based logic. Systems geolocated to Iran received a kamikaze container that deleted the host filesystem and force-rebooted the node. All other systems received persistent backdoors.
Why This Matters for AI Teams
LiteLLM is foundational infrastructure for AI teams. It's the de facto standard for:
- LLM proxy routing — managing multiple AI providers (OpenAI, Anthropic, Google, etc.)
- API key management — centralizing credentials for LLM endpoints
- Cost tracking — monitoring token usage across providers
- Rate limiting — preventing API abuse
This means LiteLLM deployments typically have access to every API key in the organization's AI stack. A compromised LiteLLM instance exposes:
- OpenAI, Anthropic, Google, and other LLM provider API keys
- Internal service credentials
- Database connection strings
- Cloud infrastructure access
The blast radius of this single package compromise is enormous precisely because LiteLLM sits at the center of AI infrastructure.
LiteLLM's History of Security Issues
The March 2026 supply chain attack was the most severe incident, but LiteLLM has had a pattern of security vulnerabilities over the past two years:
| CVE | Type | Severity | Version | Description |
|---|---|---|---|---|
| CVE-2025-45809 | SQL Injection | Critical | < 1.81.0 | Arbitrary command execution via /key/block and /key/unblock endpoints |
| CVE-2024-5225 | SQL Injection | High | 1.27.14+ | Unvalidated api_key parameter in /global/spend/logs |
| CVE-2024-9606 | Info Disclosure | Medium | < 1.44.12 | API key masking only covers first 5 characters |
| CVE-2025-0330 | Credential Leak | High | 1.52.1 | Langfuse API keys leaked via proxy_server.py |
| — | SSRF | High | 1.38.10 | api_base parameter allows server-side requests to arbitrary domains |
| — | RCE | Critical | 1.40.12 | Remote code execution via post_call_rules callback import |
The pattern reveals a consistent theme: insufficient input validation on parameters that control server-side behavior — exactly the type of vulnerability class that requires deep security testing to catch.
How Nebula Detects These Vulnerability Classes
At Breachline, we built Nebula specifically to find the types of vulnerabilities that led to this incident — and the types of vulnerabilities that existed in LiteLLM long before the supply chain attack.
Supply Chain Analysis
Nebula's supply_chain_scan capability analyzes dependency trees for:
- Known vulnerable versions — cross-referencing against CVE databases in real-time
- Typosquatting detection — identifying packages with names similar to legitimate dependencies
- Dependency confusion — checking for internal package names that could be hijacked on public registries
- Version pinning audit — flagging unpinned dependencies that are vulnerable to substitution attacks
SSRF Detection
The LiteLLM SSRF vulnerability (allowing api_base manipulation) is precisely the type of finding Nebula excels at. When Nebula encounters an API endpoint that accepts URL parameters, it systematically tests:
- Internal network access (
http://127.0.0.1,http://169.254.169.254) - Cloud metadata endpoints
- Protocol smuggling (
file://,gopher://) - DNS rebinding scenarios
In our recent benchmark testing, Nebula successfully identified and exploited SSRF vulnerabilities across 3 different challenge scenarios — including SSRF via image fetching and SSRF via markdown rendering.
SQL Injection
LiteLLM's SQL injection vulnerabilities (CVE-2025-45809, CVE-2024-5225) allowed attackers to execute arbitrary commands through API management endpoints. Nebula tests every input parameter for injection, including:
- API keys and authentication tokens as injection vectors
- Management endpoints that developers often assume are "internal only"
- Blind SQL injection via time-based and boolean-based techniques
Authentication & Authorization Flaws
The credential leakage issues in LiteLLM (CVE-2024-9606, CVE-2025-0330) represent broken access controls — sensitive data exposed through insufficient masking or improper error handling. Nebula tests for:
- API key exposure in error responses and logs
- Authentication bypass via header manipulation
- Privilege escalation through parameter tampering
- Improper access controls on administrative endpoints
Protecting Your LLM Infrastructure
Immediate Actions (If You Use LiteLLM)
If your organization installed LiteLLM between March 24 10:39 UTC and 16:00 UTC:
- Treat the system as fully compromised — removing the package alone is not sufficient
- Rotate all credentials — API keys, cloud credentials, SSH keys, database passwords, Kubernetes tokens
- Check for persistence — look for
litellm_init.pthin site-packages,~/.config/sysmon/sysmon.py, andnode-setup-*pods in Kubernetes - Audit CI/CD pipelines — any artifacts built during the exposure window may be compromised
- Monitor for C2 traffic — watch for connections to
models.litellm[.]cloudandcheckmarx[.]zone
Long-Term Recommendations
| Practice | Why It Matters |
|---|---|
| Pin all dependency versions | Prevents automatic installation of compromised releases |
| Use hash verification | pip install litellm==1.82.6 --hash=sha256:... ensures package integrity |
| Isolate LLM proxy infrastructure | Limit blast radius — LLM proxy shouldn't have access to SSH keys or K8s tokens |
| Continuous security testing | Quarterly pentests miss vulnerabilities that exist between test cycles |
| Monitor dependency advisories | Subscribe to security feeds for critical infrastructure packages |
| Run autonomous security assessments | AI-powered testing catches SSRF, SQLi, and auth flaws before attackers do |
The Bigger Picture
The LiteLLM incident illustrates a fundamental challenge in AI infrastructure security: the tools we use to build AI systems are themselves attack surfaces.
LiteLLM had 6 known CVEs in 2025 alone — SSRF, SQL injection, RCE, credential leakage. Each of these was a window of opportunity for attackers. The March 2026 supply chain attack simply demonstrated what happens when those windows aren't closed fast enough.
The organizations that weathered this incident best were those running:
- Pinned dependencies with hash verification
- Isolated deployment environments limiting credential exposure
- Continuous security testing that would have caught the SSRF and SQLi vulnerabilities before they became entrypoints
The question isn't whether your AI infrastructure will be targeted. It's whether you'll find the vulnerabilities before the attackers do.
Breachline Nebula provides continuous, autonomous security testing for web applications and AI infrastructure. Learn more at breachline.io.
Sources: LiteLLM Official Security Update, Datadog Security Labs Analysis, Snyk Research, Arctic Wolf Advisory
