The AI development community experienced a major security incident on March 24. The widely used Python package LiteLLM, which connects to major LLMs, version 1.82.8, was maliciously compromised. Simply running

pip install litellm

could cause the leakage of SSH keys, AWS/GCP/Azure credentials, Kubernetes configurations, Git authentication, environment variables (all API keys), shell history, cryptocurrency wallets, SSL private keys, CI/CD secrets, database passwords, and more, all at once, to remote servers.

Scope of infection: Any project relying on LiteLLM is affected.

LiteLLM has over 97 million downloads per month, making its scale already quite large. More critically, the nature of supply chain attacks means the damage extends far beyond direct users—any package depending on LiteLLM can be compromised. For example,

pip install dspy

(depending on litellm>=1.64.0) can also be affected, as are other major projects.

According to analysis by Andrej Karpathy on X, the malicious version was online for less than an hour. Its rapid detection was an accident: developer Callum McMahon used an MCP plugin in Cursor, which introduced LiteLLM as a transitive dependency. Installing version 1.82.8 caused the computer to run out of memory and crash. If the attacker’s code hadn’t had bugs, this attack could have gone unnoticed for weeks.

LiteLLM CEO account suspected of being compromised, indicating a larger-scale attack

Security researchers pointed out that LiteLLM’s GitHub and PyPI accounts were likely hacked. This incident is not isolated—the same attack group (TeamPCP) also targeted VSCode and Cursor extensions, deploying a remote access trojan called “ZOMBI,” along with hidden VNC servers and SOCKS proxies. Over 500,000 credentials are believed to have been stolen, affecting multiple large enterprises.

Immediate response: check versions, downgrade

The affected version is 1.82.8. If this version is installed, all credentials should be considered compromised, and rotation should be performed immediately:

Check version

pip show litellm

Downgrade to a safe version

pip install litellm==1.82.7

Karpathy: It’s time to rethink dependency culture

Karpathy reflected deeply on this incident: traditional software engineering treats dependencies as efficient “building blocks,” but supply chain attacks make this assumption increasingly dangerous. He suggests prioritizing direct extraction (“yoink”) of needed functions from LLMs rather than importing entire external packages—especially when the functionality is simple and feasible.

This incident also raises awareness in the developer community: as AI agents increasingly automate

pip install

scenarios, human oversight of this line of defense is rapidly diminishing. Package-level firewalls have shifted from “nice to have” to “essential.”

This article, “LiteLLM PyPI Supply Chain Attack: Malicious Code Embedded in 97 Million Downloads per Month AI Package, SSH Keys and API Credentials Leaked,” first appeared on Chain News ABMedia.