· Updated
v1.82.7 and v1.82.8 on PyPI were compromised on March 24, 2026. The attacker injected a credential stealer into proxy_server.py — harvesting environment variables, SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes tokens, and database passwords, then exfiltrating them to a domain not affiliated with LiteLLM.The suspected entry point was Trivy, the security scanner in LiteLLM's CI/CD workflow. LiteLLM's team believes this is linked to a broader Trivy supply chain compromise in which stolen credentials reportedly accessed the publishing pipeline — the tool meant to protect releases became the attack surface.
If you installed LiteLLM via pip on March 24 between 10:39 and 16:00 UTC without a pinned version — or if an AI agent framework or MCP server pulled it in transitively — treat credentials on that system as compromised and rotate them. Docker image users and LiteLLM Cloud were not affected.
Earlier today the @LiteLLM team was made aware of a supply chain attack impacting PyPI packages litellm==1.82.7 and litellm==1.82.8. The packages have been removed from PyPI. We confirmed that the compromise came from a Trivy dependency in our CI/CD https://t.co/20O2Fg93k9
More like this
GitHubMar 28
AnthropicFeb 23