The popular Python package litellm, with over 3 million daily downloads, was compromised on PyPI. Two malicious versions (1.82.7 and 1.82.8) were published and remained available for approximately two hours before removal. The payload was a sophisticated three-stage credential stealer designed to exfiltrate cloud keys, SSH credentials, Kubernetes secrets, and more.

Why litellm?

litellm serves as a unified interface for applications that interact with LLMs, routing calls to providers like OpenAI, Anthropic, and Google. Its strategic position in the AI stack makes it a high-value target: it has direct access to API keys, environment variables, and sits between applications and multiple external AI services. Compromising litellm means compromising the credentials that connect an organization's entire AI infrastructure.

The Three-Stage Payload

Stage 1: Launcher & Exfiltration

The first stage decodes and executes the second-stage payload, captures its output, encrypts all collected data using AES-256-CBC with a randomly generated session key, wraps the session key with a hard-coded RSA public key, packages everything into a tpcp.tar.gz archive, and exfiltrates it to attacker-controlled endpoints.

Stage 2: Reconnaissance & Credential Harvesting

This stage performs extensive enumeration and extraction:

  • System recon: Hostname, users, network configuration, environment variables
  • SSH keys and Git credentials
  • Cloud provider credentials: AWS, GCP, and Azure keys and tokens
  • Kubernetes: Config files, service account tokens, and cluster secrets
  • Infrastructure artifacts: Terraform state, Helm charts, CI/CD configurations
  • API keys, webhook URLs, and cryptocurrency wallet data

The malware actively uses discovered credentials, querying AWS APIs and accessing Kubernetes secrets directly.

Stage 3: Persistence & Remote Control

A Python script (sysmon.py) is written to disk and registered as a system service. It polls a remote endpoint every 50 minutes for new commands, enabling continuous delivery of additional malicious payloads. As an anti-analysis trick, the endpoint returns a link to a music remix when researchers attempt to probe it.

Indicators of Compromise

  • Affected versions: litellm 1.82.7 and 1.82.8
  • Domains: models[.]litellm[.]cloud, checkmarx[.]zone
  • Files: tpcp.tar.gz, /tmp/pglog, /tmp/.pg_state, sysmon.py
  • Modified package files: litellm_init.pth (v1.82.8), proxy_server.py (both versions)

What You Should Do

  • Check if litellm 1.82.7 or 1.82.8 was ever installed in any environment. Simply removing the package is not sufficient since persistence mechanisms may already be in place.
  • Rotate all potentially exposed credentials: cloud keys, API tokens, SSH keys, Kubernetes service accounts.
  • Audit systems for the IOCs listed above and review logs for suspicious outbound connections.
  • Consider rebuilding affected systems from a clean state.
  • Pin dependency versions and use lockfiles. Deploy automated supply chain security tooling to catch malicious packages at ingestion.

The Xploitix Take

This incident is a textbook example of why supply chain security matters. The attacker didn't need to find a zero-day or breach a network. They compromised a single package that sits at the intersection of AI infrastructure and cloud credentials, and the blast radius was enormous. As organizations rapidly adopt AI technologies, the surrounding software supply chain is becoming an increasingly attractive attack surface. If your dependency management doesn't include real-time threat detection, you're flying blind.