Was I affected? How do I check?

If you ran `pip install litellm==1.82.8` (or installed any package that depends on litellm) between approximately 00:56 UTC and 02:00 UTC on March 24, 2026, you may have been compromised. Check your pip logs or run `pip show litellm` to see your installed version.

What credentials should I rotate?

Rotate all cloud provider keys (AWS, GCP, Azure), all API keys (OpenAI, Anthropic, etc.), SSH keys, database passwords, and any tokens stored in environment variables. Treat any credential that existed on the compromised machine as potentially stolen.

How can I protect against future supply chain attacks?

Use dependency pinning with hash verification (`--require-hashes`), run regular security audits with tools like `safety` or `pip-audit`, minimize transitive dependencies, and consider using a private package repository. Adopt the principle of least privilege for CI/CD.

What is a 'transitive dependency'?

A transitive dependency is a package that you don't install directly, but that gets pulled in because a package you do install depends on it. In this case, even if you never typed `pip install litellm`, you could have been compromised if you installed a package like `dspy` that lists litellm as a dependency.

Has the malicious version been removed?

Yes, PyPI removed version 1.82.8 within hours of discovery. The maintainers have released a clean version. However, if you installed during the window, your credentials may still be at risk.

Does this affect Windows or macOS systems?

Yes. The malicious code was platform‑agnostic Python that would run on any system where the package was installed. All operating systems are affected.

Security Alert Supply Chain Attack Breaking

The litellm Supply Chain Attack: How One pip install Could Have Stolen Everything

edit_note

Author

Himansh

Published

March 25, 2026

schedule

7 min read

TheAITechPulse.com

litellm supply chain attack — Python package with 97 million downloads compromised — The litellm supply chain attack: a single compromised version (1.82.8) uploaded to PyPI exfiltrated credentials for over an hour.

On March 24, 2026, a malicious version of litellm — a Python library with 97 million monthly downloads — was published to PyPI. For roughly one hour, anyone who ran pip install litellm (or installed any project that depends on it) risked having SSH keys, cloud credentials, Kubernetes configs, environment variables, crypto wallets, and CI/CD secrets stolen. Andrej Karpathy called it "the scariest thing imaginable in modern software."

Quick verdict: The litellm supply chain attack demonstrates how a single compromised dependency can spread to thousands of projects. The malicious version was removed within hours, but anyone who installed during that window should assume their credentials are compromised. Rotate all keys, audit your systems, and rethink your dependency philosophy.

What Is litellm?

LiteLLM is a popular Python library that simplifies calling dozens of LLM APIs (OpenAI, Anthropic, Cohere, etc.) through a unified interface. It's used by thousands of developers and AI projects — including DSPy, which depends on it. That means anyone who ran pip install dspy during the attack window would have been affected as a transitive dependency.

97M

Monthly downloads

~1 hr

Window of compromise

1.82.8

Malicious version

Self‑replicating

Malware behavior

What the Malicious Version Did

According to security researcher Daniel Hnyk, who first discovered the attack, version 1.82.8 of litellm contained a malicious litellm_init.pth file with base64-encoded instructions that:

Exfiltrated SSH keys
Stole AWS, GCP, and Azure credentials
Grabbed Kubernetes config files
Extracted git credentials and shell history
Dumped all environment variables (including API keys)
Lifted crypto wallet files
Captured SSL private keys and CI/CD secrets
Replicated itself to spread further

The attack was discovered not by routine monitoring but by chance. Developer Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a dependency. When the malicious version installed, his machine ran out of RAM and crashed — revealing the attack.

⚠️ The Transitive Dependency Problem: The litellm incident highlights a terrifying reality: the attack surface is much larger than the packages you explicitly install. Even if you never typed pip install litellm, you could have been compromised through a package like dspy that depends on it. This is why supply chain attacks spread so widely.

Why This Matters

Massive reach – litellm has 97 million downloads per month. The poisoned version was up for about an hour, exposing thousands of developers.
Credential theft – Once credentials are stolen, attackers can take over your cloud accounts, push malicious packages to PyPI using stolen maintainer credentials, and compromise even more projects.
Self‑replication – The malware was designed to spread, turning one compromised machine into a propagation vector.
Chance discovery – The only reason this was caught within an hour was a bug that crashed a user's machine. Andrej Karpathy noted: "If the attacker didn't vibe code this attack it could have been undetected for many days or weeks."

Best Laptops for Secure Development

MacBook Air M3 — Best Overall

From $1,099

Excellent for development work — 18hr battery, fanless, and runs dependency scanning tools like pip-audit without breaking a sweat.

View on Amazon →

ASUS ROG Zephyrus G14 — Power Pick

From $2,199

For developers running local AI models or heavy dependency testing — RTX 5080 handles large workloads while you audit packages.

View on Amazon →

Not sure which laptop? Use the Laptop Finder Tool →

How to Protect Yourself

Check if you installed the affected version – If you ran pip install litellm==1.82.8 or installed any package that depends on litellm between approximately 00:56 UTC and 02:00 UTC on March 24, 2026, assume compromise. Check with pip show litellm.
Rotate all credentials immediately – All cloud provider keys (AWS, GCP, Azure), all API keys (OpenAI, Anthropic, etc.), SSH keys, database passwords, and any tokens stored in environment variables.
Audit your systems – Look for unusual outbound connections or unexpected processes. The malware was designed to phone home; check your logs for suspicious traffic.
Lock down PyPI with pip constraints – Use --require-hashes or a private package repository to ensure only verified packages are installed.
Rethink your dependency philosophy – Karpathy's advice: "Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re‑evaluated." Use LLMs to "yoink" small utilities when possible rather than pulling in heavy transitive dependencies.

✅ What's Being Done
PyPI removed the malicious version within hours. LiteLLM maintainers have released a clean version and are investigating. But the damage may already be done for the thousands who installed during that window.

The Bigger Picture

This isn't the first supply chain attack, and it won't be the last. The Python ecosystem's openness is both its strength and its greatest vulnerability. The litellm incident should serve as a wake‑up call for:

Developers – Audit your dependencies regularly. Use tools like safety or pip-audit.
Project maintainers – Consider reducing dependency trees. Every extra package is a potential attack vector.
Enterprises – Use private mirrors and lock files with integrity checks.

Frequently Asked Questions

Sources: Andrej Karpathy on X, Daniel Hnyk initial disclosure, PyPI security report, CrowdStrike analysis, Python Security — Himansh, TheAITechPulse.com

About the Author

Himansh is the founder of TheAITechPulse, where he analyzes AI tools, productivity software, and emerging tech for practical business use.

He focuses on real-world testing, ROI-driven evaluations, and actionable implementation guides for small businesses and solo founders.

👤 More about Himansh ✉️ Get in touch