PyPI horror:  ‘litellm’ Package Exfiltrating Sensitive Data Raises Security Concern

A routine pip install litellm by a developer has raised a serious security concern, causing a system compromise. 

Versions 1.82.7 and 1.82.8 of the popular Python package started acting like aggressive credential harvesters, stealing sensitive data from devices.  

Post installation, the package attempted to exfiltrate data such as SSH keys, AWS, GCP, and Azure credentials, Kubernetes configs, Git credentials, environment variables (including API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, and database passwords—everything it could access. 

The attack chain reportedly used obfuscation using base64-encoded Python code that contained malware. 

Since litellm gets almost 97 million downloads a month, the risk can scale fast. It has the potential to impact all projects that come in contact with the compromised code. It hardly mattered whether any code touched litellm directly. Even running pip install dspy could poison  the cloud environment. 

The released versions remained live for an hour without being detected.

It was Callum McMahon who first noticed the suspicious behavior. While using an MCP plugin in Cursor, he triggered the installation of litellm 1.82.8. What happened next took him by surprise: his system ran out of memory and soon crashed. That failure pushed him to take a closer look and uncover what the package was doing.

Though the crash cut the attack lifecycle short, a stable payload could have kept running unnoticed for much longer.

This is a serious security risk, as it shows how supply chain attacks actually land. Attackers only need an entry point, and the damage can spread quickly.

Most developers install packages without testing them beforehand, and these dependencies are rarely reviewed. Once a compromised package enters the system, it starts performing unintended actions.

The problem is attackers can use them to gain further access to cloud accounts, CI/CD pipelines, and internal systems. Once they enter the system, they don’t start acting quickly. They often delay activity to map the environment first. It exposes them to larger breaches. Dependencies help teams move fast, but they also push trust outward.