According to 1M AI News monitoring, OpenAI founding member Andrej Karpathy posted that the supply chain attack on AI agent development tool LiteLLM is “one of the most terrifying things in modern software.” LiteLLM has 97 million downloads per month, and the infected versions v1.82.7 and v1.82.8 have been removed from PyPI.
Just one command, pip install litellm, is enough to steal SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes configurations, git credentials, environment variables (including all API keys), shell history, encrypted wallets, SSL private keys, CI/CD secrets, and database passwords. Malicious code encrypts data with 4096-bit RSA and transmits it to a disguised domain, models.litellm.cloud, and also attempts to create privileged containers in the kube-system namespace of Kubernetes clusters to implant persistent backdoors.
Even more dangerous is its contagious nature: any project depending on LiteLLM can also be compromised. For example, pip install dspy (which depends on litellm>=1.64.0) will also trigger malicious code. The infected versions only survived about an hour on PyPI before being discovered, ironically because the attacker’s malicious code had a bug that caused memory exhaustion and crashes. Developer Callum McMahon encountered this when using the MCP plugin in the AI programming tool Cursor; LiteLLM was pulled in as a transitive dependency, and after installation, the machine crashed immediately, exposing the attack. Karpathy commented, “If the attacker didn’t vibe code this time, it might go unnoticed for days or even weeks.”
The threat group TeamPCP exploited a configuration flaw in LiteLLM’s CI/CD pipeline using Trivy vulnerability scanner in GitHub Actions at the end of February, stealing PyPI publishing tokens, then bypassing GitHub to upload malicious versions directly to PyPI. Berri AI CEO Krrish Dholakia, the maintainer of LiteLLM, stated that all publishing tokens have been revoked and plans to shift to a JWT-based trusted release mechanism. PyPA issued security advisory PYSEC-2026-2, recommending all users who installed affected versions assume their environment credentials have been compromised and should rotate them immediately.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Iran's Supreme Leader Says Navy Ready to Inflict 'New Painful Defeat' on Enemies
Ayatollah Khamenei's Armed Forces Day message emphasized military readiness, wishing well to personnel and families, and threatening a "new painful defeat" for enemies, coinciding with Iran's annual celebration.
GateNews8m ago
Iran Has Not Agreed to Next Round of Talks with United States
Gate News message, April 18 — Iran has not agreed to hold the next round of negotiations with the United States, according to Iran's Tasnim News Agency on April 18.
GateNews1h ago
Iran's Supreme Leader Advisor: Internal Unity and Resistance Axis Not Negotiable
Mohammad Makhber, an advisor to Iran's Supreme Leader, asserted that Iran's internal unity and resistance are crucial for the nation's future and should not be compromised in foreign negotiations.
GateNews2h ago
White House Mediates Clarity Act Stablecoin Dispute, Witt Reveals Legislative Timeline
Patrick Witt announced at the Solana Policy Institute summit that the White House mediated a stablecoin dispute to advance the Clarity Act. The compromise allows banks and crypto firms to together address regulatory concerns, with future focus on crypto taxation and blockchain integration strategies among financial institutions.
GateNews5h ago
U.S. Energy Department to Release Third Batch of Strategic Petroleum Reserve, Loaning Over 26M Barrels to Nine Oil Companies
The U.S. Department of Energy will loan over 26 million barrels of crude oil to nine companies, marking the third release of strategic reserves since the U.S.-Israel-Iran conflict began, aimed at moderating oil prices. Delivery is set for May and June 2026.
GateNews5h ago
Trump Says Iran-Related Progress Looking Very Positive; Nuclear Weapons Prevention Is Top Priority
U.S. President Donald Trump reported "very positive" developments concerning Iran, focusing on preventing the country from obtaining nuclear weapons, following recent favorable news.
GateNews8h ago
