{"id":16003,"date":"2026-03-25T11:12:17","date_gmt":"2026-03-25T11:12:17","guid":{"rendered":"https:\/\/newestek.com\/?p=16003"},"modified":"2026-03-25T11:12:17","modified_gmt":"2026-03-25T11:12:17","slug":"pypi-warns-developers-after-litellm-malware-found-stealing-cloud-and-ci-cd-credentials","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16003","title":{"rendered":"PyPI warns developers after LiteLLM malware found stealing cloud and CI\/CD credentials"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

PyPI is warning of possible credential theft from AI applications and developer pipelines after two malicious versions of the widely used Python middleware for large language models, LiteLLM, were briefly published.<\/p>\n

\u201cAnyone who has installed and run the project should assume any credentials available to the LiteLLM environment may have been exposed, and revoke\/rotate them accordingly,\u201d PyPI said in an advisory<\/a> that linked the incident to an exploited Trivy dependency from the ongoing TeamPCP supply-chain attack<\/a>.<\/p>\n

According to a Sonatype analysis, the packages embedded a multi-stage payload designed to harvest sensitive data from developer environments, CI\/CD pipelines, and cloud configurations, and were live on PyPI for roughly two hours before being taken down.<\/p>\n

\u201cGiven the package\u2019s three million daily downloads, the compromised LiteLLM could have seen significant exposure during that short time span,\u201d Sonatype researchers said in a blog post<\/a>. On top of serving as a stealer, the packages were also acting as droppers, enabling follow-on payloads and deeper system compromise.<\/p>\n

<\/a>Three-stage payload built for maximum reach<\/h2>\n

The compromise affected versions 1.82.7 and 1.82.8. Sonatype\u2019s analysis noted the payload operating in three distinct stages. These included initial execution and data exfiltration, deeper reconnaissance and credential harvesting, and finally persistence with remote control capabilities.<\/p>\n

The attack chain relied heavily on obfuscation, with base64-encoded Python code covering up the payload\u2019s tracks. Once executed, the malware collected sensitive data, encrypted it using AES-256-CBC, and then secured the encryption key with an embedded RSA public key before sending everything to attacker-controlled servers.<\/p>\n

The disclosure highlighted a common approach that attackers follow these days. Instead of going off immediately after installation, the malware quietly lingers to map the environment and establish a foothold, before pulling credentials from local machines, cloud configs, and automation pipelines.<\/p>\n

\u201cIt (payload) targets environment variables (including API keys and tokens), SSH Keys, cloud credentials (AWS, GCP, Azure), Kubernetes configs, CI\/CD secrets, Docker configs, database credentials, and even cryptocurrency wallets,\u201d said Wiz researchers, who are separately tracking the campaign, in a blog post<\/a>. \u201cOur data shows that LiteLLM is present in 36% of cloud environments, signifying the potential for widespread impact.\u201d<\/p>\n

Wiz also provided a way for its customers to check their environment for exposure via the Wiz Threat Center<\/a>.<\/p>\n

An expanding supply-chain campaign<\/h2>\n

The LiteLLM incident has been confirmed to be a part of the rapidly unfolding TeamPCP supply chain campaign that first compromised Trivy.<\/p>\n

Trivy, developed by Aqua Security, is a widely used open-source vulnerability scanner designed to identify security issues in container images, file systems, and infrastructure-as-code (IaC) configurations. The ongoing attack, attributed to TeamPCP with reported<\/a> links to LAPSUS$, involved attackers compromising publishing credentials and injecting credential-stealing code into official releases and GitHub Actions used in CI\/CD pipelines.<\/p>\n

The Trivy compromise was quickly followed by similar supply chain incidents, with attackers leveraging the same access and tactics to target other developer security tools like KICS and Checkmarx, extending the campaign\u2019s reach across multiple CI\/CD ecosystems.<\/p>\n

PyPI advisory tied the LiteLLM incident directly to the Trivy compromise. The malicious packages were uploaded \u201cafter an API Token exposure from an exploited Trivy dependency,\u201d it said.<\/p>\n

Ben Read, a lead researcher at Wiz, calls it a systematic campaign that needs to be monitored for further expansion. \u201cWe are seeing a dangerous convergence between supply chain attackers and high-profile extortion groups like LAPSUS$,\u201d he said. \u201cBy moving horizontally across the ecosystem \u2013 hitting tools like liteLLM that are present in over a third of cloud environments \u2013 they are creating a snowball effect.\u201d<\/p>\n

PyPI has advised users to rotate any secrets accessible to the affected LiteLLM environment, as researchers confirm active data exfiltration and potential exposure across cloud environments tied to the ongoing campaign.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

PyPI is warning of possible credential theft from AI applications and developer pipelines after two malicious versions of the widely used Python middleware for large language models, LiteLLM, were briefly published. \u201cAnyone who has installed and run the project should assume any credentials available to the LiteLLM environment may have been exposed, and revoke\/rotate them accordingly,\u201d PyPI said in an advisory that linked the incident… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16003","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16003"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16003\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}