Executive Summary
In March 2026, the LiteLLM Python package, a widely used tool for managing large language model (LLM) APIs, was compromised in a supply chain attack attributed to the threat actor group TeamPCP. Malicious versions 1.82.7 and 1.82.8 were published on the Python Package Index (PyPI), containing code designed to exfiltrate sensitive credentials, including SSH keys, cloud tokens, and Kubernetes secrets. The attack exploited the package's role as a credential proxy, potentially exposing a vast array of systems to unauthorized access. The compromised versions have since been removed from PyPI, and users are advised to verify their installations, rotate all potentially exposed credentials, and monitor for any unauthorized activity. (netspi.com)
This incident underscores the escalating threat of supply chain attacks targeting open-source software repositories. The LiteLLM compromise highlights the critical need for organizations to implement stringent security measures within their software development and deployment pipelines to mitigate the risks associated with third-party dependencies.
Why This Matters Now
The LiteLLM supply chain attack exemplifies the growing trend of threat actors targeting widely used open-source packages to infiltrate enterprise environments. As organizations increasingly rely on such tools for AI and machine learning operations, ensuring the integrity of these components is paramount to prevent potential breaches and data exfiltration.
Attack Path Analysis
The attack began with the compromise of a LiteLLM maintainer's GitHub account, allowing the adversary to inject malicious code into versions 1.82.7 and 1.82.8 of the package. Upon installation, the malicious code executed automatically, harvesting sensitive credentials and system information. The malware then attempted to move laterally across Kubernetes clusters by deploying privileged pods to every node. Exfiltrated data was encrypted and transmitted to an attacker-controlled server, enabling further exploitation. The compromise resulted in unauthorized access to sensitive data and potential control over affected systems.
Kill Chain Progression
Initial Compromise
Description
The adversary compromised a LiteLLM maintainer's GitHub account and injected malicious code into versions 1.82.7 and 1.82.8 of the package.
MITRE ATT&CK® Techniques
Compromise Software Dependencies and Development Tools
Compromise Software Supply Chain
Command and Scripting Interpreter: Python
Archive Collected Data: Archive via Utility
Exfiltration Over C2 Channel
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
LiteLLM supply chain compromise exposed critical AI infrastructure dependencies, requiring immediate credential rotation and zero-trust segmentation for development environments.
Information Technology/IT
PyPI package compromise demonstrates supply chain vulnerabilities in AI/ML tooling, necessitating enhanced egress filtering and multicloud visibility controls.
Financial Services
Credential aggregation point compromise in LLM proxies threatens regulatory compliance, demanding encrypted traffic controls and anomaly detection capabilities.
Health Care / Life Sciences
AI infrastructure supply chain attacks risk HIPAA compliance violations through credential exfiltration, requiring kubernetes security and threat detection enhancements.
Sources
- LiteLLM Supply Chain Compromisehttps://www.netspi.com/blog/executive-blog/ai-ml-pentesting/litellm-supply-chain-compromise/Verified
- Top LLM PyPl package compromised to steal user details - here's what we knowhttps://www.techradar.com/pro/security/top-llm-pypl-package-compromised-to-steal-user-details-heres-what-we-knowVerified
- LiteLLM PyPI compromise: Everything we know so farhttps://www.itpro.com/security/litellm-pypi-compromise-everything-we-know-so-farVerified
- [Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 — credential stealer · Issue #24512 · BerriAI/litellm · GitHubhttps://github.com/BerriAI/litellm/issues/24512Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial compromise, it could limit the attacker's ability to exploit the compromised package within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to access sensitive credentials and system information by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the attacker's lateral movement by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely limit the attacker's ability to establish command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely constrain the attacker's ability to exfiltrate data by enforcing strict outbound traffic policies.
Aviatrix Zero Trust CNSF could likely reduce the overall impact of the compromise by limiting the attacker's access and control over affected systems.
Impact at a Glance
Affected Business Functions
- AI/ML Model Deployment
- API Management
- Credential Management
- Cloud Infrastructure
Estimated downtime: 7 days
Estimated loss: $500,000
Exfiltration of sensitive credentials including SSH keys, cloud provider tokens, Kubernetes secrets, and API keys.
Recommended Actions
Key Takeaways & Next Steps
- • Implement supply chain management programs to assess the trustworthiness of software suppliers and validate the integrity of software components.
- • Utilize code signing and integrity checks to verify the authenticity of software packages before deployment.
- • Enforce zero trust segmentation to limit lateral movement within Kubernetes clusters and other critical infrastructure.
- • Deploy egress security and policy enforcement mechanisms to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Establish threat detection and anomaly response capabilities to identify and respond to suspicious activities promptly.
