Two backdoored versions of the widely-used LiteLLM Python library were uploaded directly to the PyPI package repository, bypassing standard release procedures after an attacker gained control of the project's publishing credentials. The compromised versions 1.82.7 and 1.82.8 remained accessible for approximately three hours before removal, according to security firm Snyk.
The attack chain likely originated from a previously compromised instance of Trivy in LiteLLM's CI/CD pipeline, Snyk determined. Version 1.82.8 proved particularly dangerous, containing a malicious .pth file that executed code on every Python startup regardless of whether the library was imported. The injected payload harvested SSH keys, environment variables containing API credentials and tokens, cloud provider credentials from AWS, GCP, Azure and Kubernetes, shell command history, CI/CD configuration files, and cryptocurrency wallet data including seed phrases.
The LiteLLM development team confirmed the unauthorized uploads occurred outside normal GitHub release procedures following the compromise of publishing access. Any developer who installed versions 1.82.7 or 1.82.8 should assume their systems are potentially compromised and immediately downgrade to 1.82.6 or earlier, then rotate all compromised secrets, SSH keys, API credentials, and cryptocurrency wallet access. See the official LiteLLM GitHub issue for detailed remediation guidance.