Supply chain attacks have become a dominant threat in cybersecurity, with a growing number of incidents traced back to compromised libraries and tools that developers rely on daily. In March 2026, a particularly brazen attack targeted LiteLLM, a widely used Python library that acts as a multifunctional gateway for AI applications. Attackers released two trojanized versions of LiteLLM onto the Python Package Index (PyPI), embedding malicious code designed to steal sensitive data from servers, databases, and even cryptocurrency wallets. This Q&A breaks down the attack, its execution, and the key takeaways for developers and organizations.
- What was the LiteLLM supply chain attack?
- How did attackers compromise the PyPI distribution?
- What malicious code was injected and how did it execute?
- What data were the attackers targeting?
- How did the two versions differ in execution?
- What encryption method did the malware use for exfiltrated data?
- What lessons can developers learn from this incident?
What was the LiteLLM supply chain attack?
In March 2026, cybercriminals injected malicious code into LiteLLM, a popular open-source Python library that serves as a gateway for AI agents. By uploading tampered versions to the official PyPI repository, the attackers turned a trusted tool into a vehicle for data theft. The malicious versions—litellm==1.82.7 and litellm==1.82.8—contained scripts that, when executed on a developer's system, would steal credentials, configuration files, and cryptocurrency wallet information. This attack is a classic example of a supply chain compromise, where the distribution channel (PyPI) was exploited to deliver malware to a wide audience, including enterprises that integrate LiteLLM into their AI services.
How did attackers compromise the PyPI distribution?
The attackers targeted the package distribution channel directly. On March 24, 2026, they uploaded the two malicious LiteLLM versions to PyPI. The compromise did not alter the library's source code repository; instead, it affected only the distributed package contents. In version 1.82.7, the malicious code was embedded inside proxy_server.py, a file loaded only when the proxy functionality was imported. In version 1.82.8, the attackers added a file named litellm_init.pth, which is automatically executed by Python every time the interpreter starts. By hijacking the official PyPI uploads, the attackers ensured that anyone installing or updating LiteLLM during that window would receive the trojanized versions.
What malicious code was injected and how did it execute?
Both versions carried the same malicious payload: Base64-encoded Python code. In 1.82.7, the code was placed inside proxy_server.py. When a developer imported the proxy module, the code decoded itself and saved a copy as p.py on the disk, then immediately ran it. That script in turn launched the main payload—another Base64-encoded script—without saving it to disk, executing it only in memory. The main payload was responsible for stealing data. In 1.82.8, the .pth file achieved the same result but triggered every time Python started, making it more persistent. After execution, the malware wrote its output (encrypted) to a file in the directory from which it was launched.
What data were the attackers targeting?
Technical analysis revealed a clear focus on high-value infrastructure assets. The malware specifically searched for credentials and configuration data related to:
- AWS (e.g., access keys, environment variables)
- Kubernetes cluster configurations
- NPM authentication tokens
- Databases such as MySQL, PostgreSQL, and MongoDB (especially connection strings and configuration details)
- Cryptocurrency wallets (private keys and wallet files)
The attackers also built in persistence mechanisms to maintain a foothold in Kubernetes environments, indicating they aimed to escalate access beyond a single developer's machine to compromise entire cloud infrastructures.
How did the two versions differ in execution?
The primary difference lay in when the malicious code ran. In version 1.82.7, the code was executed only when the proxy functionality was imported (e.g., from litellm import proxy_server). This made it quieter because a developer might not use that module immediately. In contrast, version 1.82.8 used a .pth file, which Python automatically processes at startup before any user code runs. This meant the malware would execute every time the interpreter started, regardless of which LiteLLM modules were used. The .pth technique is more dangerous because it activates even if the developer never imports LiteLLM's proxy—just having the library installed was enough to trigger the payload on Python startup.
What encryption method did the malware use for exfiltrated data?
After the main payload collected the stolen data, the malware encrypted the output before writing it to a file. The encryption algorithm used was AES-256-CBC (Advanced Encryption Standard with 256-bit key in Cipher Block Chaining mode). This strong symmetric encryption ensured that even if the output file was discovered, its contents would be unreadable without the key. The attackers likely intended to retrieve this file later or exfiltrate it through other means, decrypting it offline. The use of AES-256-CBC indicates a sophisticated approach to evading detection and protecting stolen data during transit or storage.
What lessons can developers learn from this incident?
This attack highlights several critical best practices:
- Verify package integrity – Always check checksums or hashes provided by trusted sources before installing packages from PyPI or other registries.
- Monitor for unusual versions – Be suspicious of releases shortly after a legitimate update; attackers often piggyback on trusted maintainers.
- Limit automatic execution – Be cautious of libraries that use
.pthfiles or execute code on import without clear necessity. - Segment credentials – Avoid storing sensitive API keys, database passwords, or crypto wallets in environments where third-party libraries run.
- Use dependency scanning – Employ tools that check for known malicious packages and behavioral anomalies.
- Practice least privilege – Run applications with the minimum permissions needed, reducing the blast radius of a compromised library.
By staying vigilant and adopting these measures, teams can reduce the risk of falling victim to similar supply chain attacks.