id: PYSEC-2026-2
modified: "2026-03-24T15:35:32Z"
summary: Two litellm versions published containing credential harvesting malware
details: |
  After an API Token exposure from an exploited Trivy dependency,
  two new releases of `litellm` were uploaded to PyPI containing automatically activated malware,
  harvesting sensitive credentials and files, and exfiltrating to a remote API.

  The malicious code runs during importing any module from the package and scans
  the file system and environment variables, collecting all kinds of
  sensitive data, including but not limited to private SSH keys, credentials to Git and
  Docker repositories, dotenv files, tokens to Kubernetes service accounts,
  databases and LDAP configuration. Also exfiltrated are multiple shell history
  files and cryptowallet keys. The malware actively attempts to obtain cloud access tokens
  from metadata servers and retrieve secrets stored in AWS Secrets Manager.
  All collected data are sent to the domain models.litellm[.]cloud

  Furthermore, the code includes a persistence mechanism by configuring
  a SystemD service unit masqueraded as "System Telemetry Service" on the host it
  runs on, and in a Kubernetes environment also by creating a new pod.
  The persistence script then contacts hxxps://checkmarx[.]zone/raw for
  further instructions.
  
  Anyone who has installed and run the project should assume
  any credentials available to litellm environment may have been exposed,
  and revoke/rotate them accordingly. The affected environment should be
  isolated and carefully reviewed against any unexpected modifications 
  and network traffic.
affected:
- package:
    name: litellm
    ecosystem: PyPI
    purl: pkg:pypi/litellm
  ranges:
  - type: ECOSYSTEM
    events:
    - introduced: 1.82.7
    - last_affected: 1.82.8
  versions:
  - 1.82.7
  - 1.82.8
references:
- type: EVIDENCE
  url: "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
- type: EVIDENCE
  url: "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
- type: REPORT
  url: https://github.com/BerriAI/litellm/issues/24518
- type: ARTICLE
  url: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
- type: ARTICLE
  url: https://www.wiz.io/blog/teampcp-attack-kics-github-action
- type: ARTICLE
  url: https://docs.litellm.ai/blog/security-update-march-2026
credits:
- name: Callum McMahon, Futuresearch
  type: REPORTER
- name: Mike Fiedler
  type: COORDINATOR
- name: Kamil Mańkowski
  type: ANALYST