Malicious Code Injection in LiteLLM Leads to PyPI Removal
Two versions of LiteLLM (v1.82.7 and v1.82.8), an open-source interface for accessing multiple large language models, were removed from the Python Package Index (PyPI) after a supply chain attack inserted credential-stealing malware into the package.
The compromise stemmed from a misconfiguration in Trivy, an open-source vulnerability scanner maintained by Aqua Security, which was used in LiteLLM’s CI/CD pipeline. Attackers, identified as TeamPCP, exploited the flaw in late February to steal a privileged access token from Trivy’s GitHub Actions environment. Using the stolen credentials, they published malicious versions of Trivy (v0.69.4, v0.69.5, and v0.69.6) on March 19 and 22, including DockerHub images.
The attackers employed a sophisticated technique, modifying existing version tags in Trivy’s GitHub Action scripts to inject malicious code into workflows. Since many CI/CD pipelines rely on version tags rather than pinned commits, the changes went unnoticed, allowing the malware to execute undetected.
Krrish Dholakia, CEO of Berri AI (LiteLLM’s maintainer), confirmed that the attackers obtained LiteLLM’s PYPI_PUBLISH token, stored as an .env variable in the project’s GitHub repository, and used it to push the compromised versions. While LiteLLM accounts had 2FA enabled, the stolen token bypassed this protection. The team has since revoked all PyPI publishing tokens and is evaluating security improvements, including JWT-based trusted publishing and migrating to a new PyPI account.
Adding to the disruption, the GitHub vulnerability report for LiteLLM was targeted with a spam attack, flooding the discussion with AI-generated comments like "Thanks, that helped!" to obscure legitimate updates. Security researcher Rami McCarthy noted that 19 of the 25 spam accounts were also involved in the earlier Trivy campaign.
The Python Packaging Authority (PyPA) issued a security advisory, warning users who installed the affected LiteLLM versions to assume credential exposure and rotate any secrets accessible to the environment.
Source: https://www.theregister.com/2026/03/24/trivy_compromise_litellm/
Berrijam cybersecurity rating report: https://www.rankiteo.com/company/berrijam
LiteLLM cybersecurity rating report: https://www.rankiteo.com/company/litellm
"id": "BERLIT1774384560",
"linkid": "berrijam, litellm",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users who installed affected '
'versions (v1.82.7, v1.82.8)',
'industry': 'Technology (AI/LLM Interface)',
'name': 'LiteLLM',
'type': 'Open-Source Software'},
{'customers_affected': 'Users who installed malicious '
'versions (v0.69.4, v0.69.5, '
'v0.69.6)',
'industry': 'Cybersecurity',
'name': 'Trivy (Aqua Security)',
'type': 'Open-Source Vulnerability Scanner'}],
'attack_vector': 'CI/CD Pipeline Exploitation',
'customer_advisories': 'Assume credential exposure if affected versions were '
'installed',
'data_breach': {'sensitivity_of_data': 'High (privileged access token)',
'type_of_data_compromised': 'Credentials (PYPI_PUBLISH '
'token)'},
'description': 'Two versions of LiteLLM (v1.82.7 and v1.82.8), an open-source '
'interface for accessing multiple large language models, were '
'removed from the Python Package Index (PyPI) after a supply '
'chain attack inserted credential-stealing malware into the '
'package. The compromise stemmed from a misconfiguration in '
'Trivy, an open-source vulnerability scanner maintained by '
'Aqua Security, which was used in LiteLLM’s CI/CD pipeline. '
'Attackers exploited the flaw to steal a privileged access '
'token and publish malicious versions of LiteLLM.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Credentials (PYPI_PUBLISH token)',
'identity_theft_risk': 'Yes (credential exposure)',
'operational_impact': 'PyPI package removal, credential rotation '
'required',
'systems_affected': ['LiteLLM package (v1.82.7, v1.82.8)',
'Trivy (v0.69.4, v0.69.5, v0.69.6)']},
'initial_access_broker': {'backdoors_established': 'Malicious version tags in '
'GitHub Action scripts',
'entry_point': 'Trivy GitHub Actions environment',
'high_value_targets': 'PYPI_PUBLISH token'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': ['Token revocation',
'Evaluating JWT-based '
'trusted publishing',
'Migrating to a new PyPI '
'account'],
'root_causes': ['Misconfiguration in Trivy',
'Use of version tags instead of '
'pinned commits in CI/CD']},
'recommendations': ['Rotate all secrets accessible to affected environments',
'Use JWT-based trusted publishing for PyPI',
'Pin commits in CI/CD pipelines instead of version tags'],
'references': [{'source': 'Python Packaging Authority (PyPA) Security '
'Advisory'},
{'source': 'Security Researcher (Rami McCarthy)'}],
'response': {'communication_strategy': 'Security advisory issued by PyPA',
'containment_measures': ['PyPI package removal',
'Token revocation'],
'remediation_measures': ['Rotating all PyPI publishing tokens',
'Evaluating JWT-based trusted '
'publishing',
'Migrating to a new PyPI account']},
'stakeholder_advisories': 'PyPA security advisory warning users to rotate '
'credentials',
'threat_actor': 'TeamPCP',
'title': 'Malicious Code Injection in LiteLLM Leads to PyPI Removal',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Misconfiguration in Trivy vulnerability scanner'}