A supply chain attack on the LiteLLM library has compromised versions 1.82.7 and 1.82.8 on PyPI. The breach resulted in the theft of SSH private keys, Kubernetes configurations, and cryptocurrency wallets. Credentials for AWS and GCP, alongside Azure configurations, were also exfiltrated.
- Hackers compromise LiteLLM versions 1.82.7 and 1.82.8 on PyPI to exfiltrate sensitive cloud credentials and cryptocurrency wallets.
- The malicious code sat on PyPI for two hours on March 24, potentially impacting projects across tens of millions of downloads.
- The TeamPCP breach exposes a terminal reliance on open-source wrappers, allowing a single poisoned package to compromise global AI production infrastructure.
Poisoned Packages and Startup Payloads
Infected code sat on PyPI for roughly two hours on March 24 before administrators removed it. LiteLLM unifies calls to multiple large language model APIs and sees tens of millions of monthly downloads. Attackers delivered the credential-stealing payload through a .pth file that executed automatically upon Python startup. This method bypassed the need for an explicit function call.
Fork Bomb Flaw and Detection
FutureSearch researchers detected the compromise after a bug in the malware triggered a fork bomb. The resulting machine crashes drew immediate attention to the library. The payload specifically targeted shell histories and environment variables, sending data to an external server.
Andrej Karpathy, a founding member of OpenAI and former director of AI at Tesla, described the incident as a “software horror.” The attack could spread to any project depending on LiteLLM, including those linked indirectly through deep dependency trees.
“Every time you install any dependency, you could be pulling in a poisoned package anywhere deep inside its entire dependency tree,” Karpathy posted on X.
Genuine News Deserves Honest Attention.
High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.
👉 Submit Your PRAttribution and Extortion Attempts
Blockchain security firm SlowMist confirmed the payload’s behavior. Investigators have attributed the attack to TeamPCP, the group linked to a recent compromise of the Trivy vulnerability scanner. Stolen PyPI publishing credentials likely provided the initial access. TeamPCP has claimed responsibility and is actively attempting to extort affected organizations. The scale of data theft remains under investigation.
Chain Street’s Take
The LiteLLM breach marks a major “Compute Capital” heist. Attackers stole static secrets while gaining access to the financial rails used to rent GPU clusters and run inference.
Single points of failure now define the AI industry. Heavy reliance on a handful of open-source wrappers means one poisoned package can leak credentials across thousands of production environments.
Public discovery of the breach relied entirely on a sloppy fork bomb in the malware. This should worry every organization running AI workloads. In the rush to ship, dependency trust has become the weakest link. Moving forward, “verify and assume compromise” must replace the “trust but verify” standard.
Activate Intelligence Layer
Institutional-grade structural analysis for this article.
