The open-source Python package LiteLLM—commonly used as a unified gateway to multiple LLM providers—was hit by a supply-chain compromise. Researchers reported that malicious versions were published to PyPI and included credential-harvesting and persistence functionality.

Reported details indicate:

- Malicious code executed on import, with one version adding a .pth file so the payload could run whenever Python starts.

- The stealer targeted a broad set of secrets (SSH keys, cloud credentials, Kubernetes tokens/secrets, .env files, database configs, TLS private keys, and crypto wallet data).

- Exfiltrated data was bundled and sent to attacker-controlled infrastructure, with additional backdoor/persistence behavior observed.

This incident is another reminder that software supply-chain security isn’t just about auditing dependencies—it’s also about hardening build pipelines and monitoring for abnormal package changes.

What maintainers and users should do:

- Check environments for the impacted LiteLLM versions and remove/replace them with a known-clean release.

- Rotate credentials on any system that may have imported the malicious package.

- Review CI/CD logs and dependency lockfiles; consider pinning versions and using provenance/signing where possible.

- Monitor for suspicious persistence artifacts and unexpected outbound connections from build hosts.