Compromised versions of LiteLLM on PyPI were stealing sensitive data and spreading in Kubernetes environments. Find out how this incident is affecting cloud and AI infrastructure.
An incident that made its way directly into the official repository
The security incident affecting the LiteLLM library is one of those that has a very practical impact on the functioning of cloud and AI solutions. Two malicious versions of the package (1.82.7 and 1.82.8) made their way into the official PyPI repository; these versions were capable not only of collecting sensitive data but also of actively spreading throughout the infrastructure.
According to findings by Endor Labs, JFrog, and Wiz , these versions were published on March 24, 2026, and were subsequently removed after being discovered. Version 1.82.6 is considered the last secure version.
What Happened After the Package Was Deployed
The malicious code was designed to extract data directly from the environment in which it was executed. It primarily targeted access credentials, SSH keys, Kubernetes tokens, configuration files, and .env files.
The stolen data was then sent to infrastructure controlled by the attacker. Furthermore, when deployed in a Kubernetes environment, the malware attempted to spread further—it exploited available tokens, analyzed the cluster structure, and attempted to deploy privileged workloads.
A Technical Difference That Increased the Risk
The difference between the compromised versions was significant. While version 1.82.7 activated the malicious code upon a specific interaction with the library, version 1.82.8 also contained a .pth file.
This file allows the code to run automatically when the Python interpreter starts, meaning that a compromise could occur even without directly using the library.
Background of the Attack and Broader Context
Available information suggests that the incident did not occur through the standard development process, but rather through compromised access to the package’s publishing system.
The attack is also linked to the activities of the TeamPCP group , which has recently been targeting the open-source ecosystem and gradually expanding its reach.
Impact on Cloud and AI Environments
LiteLLM is one of the most widely used libraries and, according to available data, is present in approximately 36% of cloud environments.
If the package was used in CI/CD pipelines, containers, or production Kubernetes clusters, there is a real risk that the compromise could have affected the broader infrastructure, including other systems and access points.
What This Means in Practice
From a practical standpoint, it is crucial to verify whether compromised versions were present in the environment. If they were used, the situation must be treated as a potential data breach.
This includes reviewing the infrastructure, monitoring communications, and rotating access credentials. The incident also highlights that software supply chain security is now a critical issue for any organization working with the cloud or AI.