Supply chain attack — active threat

LiteLLM 1.82.8
Remediation Guide

Discovered: 2026-03-24 · Affected: litellm==1.82.8 and 1.82.7 · Action required: immediate

Malicious versions

1.82.8 (primary)
1.82.7 (also compromised)

Exfil target

https://models.litellm.cloud/
Not the official litellm.ai domain

Trigger mechanism

Runs on every Python startup — no import litellm needed

Monthly download exposure

~97 million

01 Check if you're affected Critical

Run the following to check the installed litellm version across your environments:

pip show litellm

Look for the malicious .pth file in your site-packages directory:

find / -name "litellm_init.pth" 2>/dev/null

Check uv caches specifically:

find ~/.cache/uv -name "litellm_init.pth" 2>/dev/null
⚠ Also check all virtual environments in your CI/CD pipeline, Docker containers, and any server where litellm was installed on or after March 24, 2026.
02 Remove the package and purge caches Critical

Uninstall the affected version immediately:

pip uninstall litellm -y

Purge pip cache to prevent reinstalling from a cached wheel:

pip cache purge

If using uv:

rm -rf ~/.cache/uv

Reinstall a safe version if needed:

pip install litellm==1.82.6
03 Rotate ALL credentials — assume full compromise Critical

If litellm 1.82.7 or 1.82.8 was installed on a machine, treat every credential on that machine as stolen. Rotate immediately:

  • SSH private keys — regenerate all key pairs
  • AWS access keys and IAM credentials
  • GCP Application Default Credentials
  • Azure tokens and service principal secrets
  • All API keys stored in .env files
  • Database passwords (PostgreSQL, MySQL, Redis)
  • Git tokens and .gitconfig credentials
  • NPM tokens (~/.npmrc)
  • Kubernetes service account tokens
  • Docker registry credentials
  • Crypto wallet keys — if any wallets were on the machine
⚠ The malware encrypted stolen data with a 4096-bit RSA key before exfiltration. You cannot determine what was taken. Assume everything was.
04 Check for persistence mechanisms Important

The malware attempts to install a persistent backdoor. Check for these files:

ls -la ~/.config/sysmon/sysmon.py ls -la ~/.config/systemd/user/sysmon.service

If found, remove them:

rm -rf ~/.config/sysmon/ systemctl --user disable sysmon.service 2>/dev/null rm -f ~/.config/systemd/user/sysmon.service

If you use Kubernetes, audit the kube-system namespace for rogue pods:

kubectl get pods -n kube-system | grep node-setup
kubectl get secrets --all-namespaces
05 Check transitive dependencies in your projects Important

Even if you didn't install litellm directly, it may have been pulled in by another package. Check your dependency tree:

pip show dspy | grep Requires pip show litellm

To audit all packages in your environment for litellm as a dependency:

pip list | grep litellm

Known affected downstream projects include DSPy and various MCP plugins. Pin your requirements to safe versions:

# In requirements.txt litellm==1.82.6 # or latest safe version
06 Review network logs for exfiltration attempts Verify

Check outbound network connections to the attacker's domain. Search your firewall, proxy, or DNS logs for:

models.litellm.cloud

On Linux, check recent connections:

grep "litellm.cloud" /var/log/syslog 2>/dev/null grep "litellm.cloud" /var/log/ufw.log 2>/dev/null

Going forward, consider blocking outbound POST requests to unknown domains from Python processes using a firewall rule or Little Snitch equivalent.

07 Harden your dependency practices going forward Harden

This attack highlights the risk of unpinned dependencies. Adopt these practices:

  • Pin all dependencies with exact versions in requirements.txt
  • Use hash verification: pip install --require-hashes
  • Audit your dependency graph regularly with tools like pip-audit
  • Run pip-audit on all environments as part of CI/CD
  • Monitor high-centrality packages (ones with massive downstream reach) extra carefully
  • Consider egress sandboxing for Python processes in production
  • Never store secrets in plain .env files on shared machines
# Install pip-audit pip install pip-audit # Scan your environment pip-audit