Discovered: 2026-03-24 · Affected: litellm==1.82.8 and 1.82.7 · Action required: immediate
1.82.8 (primary)
1.82.7 (also compromised)
https://models.litellm.cloud/
Not the official litellm.ai domain
Runs on every Python startup — no import litellm needed
~97 million
Run the following to check the installed litellm version across your environments:
Look for the malicious .pth file in your site-packages directory:
Check uv caches specifically:
Uninstall the affected version immediately:
Purge pip cache to prevent reinstalling from a cached wheel:
If using uv:
Reinstall a safe version if needed:
If litellm 1.82.7 or 1.82.8 was installed on a machine, treat every credential on that machine as stolen. Rotate immediately:
The malware attempts to install a persistent backdoor. Check for these files:
If found, remove them:
If you use Kubernetes, audit the kube-system namespace for rogue pods:
Even if you didn't install litellm directly, it may have been pulled in by another package. Check your dependency tree:
To audit all packages in your environment for litellm as a dependency:
Known affected downstream projects include DSPy and various MCP plugins. Pin your requirements to safe versions:
Check outbound network connections to the attacker's domain. Search your firewall, proxy, or DNS logs for:
On Linux, check recent connections:
Going forward, consider blocking outbound POST requests to unknown domains from Python processes using a firewall rule or Little Snitch equivalent.
This attack highlights the risk of unpinned dependencies. Adopt these practices:
pip install --require-hashespip-audit on all environments as part of CI/CD