← Back to blog AdvisoryHigh

LiteLLM Supply-Chain Compromise — Malicious PyPI Release 1.82.8

Anomity Research Anomity Threat Research · Mar 24, 2026 · 2 min read

AI Supply-Chain Attacks·High·PyPI: litellm 1.82.7 / 1.82.8·Mar 24, 2026

Affected litellm 1.82.7 and 1.82.8 (PyPI; quarantined)

What happened

Malicious versions of the LiteLLM Python package — 1.82.7 and 1.82.8 — were published to PyPI carrying a weaponized .pth file that executes automatically on Python interpreter startup. LiteLLM is a widely used LLM gateway/proxy, so the blast radius spans developer machines, CI/CD pipelines, and production workloads. The payload enabled large-scale credential harvesting and exfiltration, with reported follow-on lateral movement. PyPI quarantined the malicious releases, but any environment that installed them in the window should be treated as compromised.

Why this is an agentic-endpoint risk

LLM gateways sit at the center of agent traffic and hold the keys to everything an agent can reach. A .pth hook that runs on every Python startup is the supply-chain equivalent of a blanket permission grant: silent, automatic, and credential-hungry. It is also invisible to controls that watch the wire rather than the endpoint — the compromise is a local package, executing locally, before any network policy applies.

How Anomity surfaces and governs it

Anomity inventories AI gateways and the tooling around your agents across every managed endpoint and surfaces the installed version, so finding every host that pulled litellm 1.82.7 or 1.82.8 is one query, not an incident-response sweep. Install and version-change events are recorded in the 90-day audit trail, giving you a precise window of exposure. On agents that expose a hook, runtime governance can deny the outbound tool calls a credential-stealer would attempt — and because Anomity collects metadata only, secret values never leave the endpoint.

What to check across your fleet

Search every endpoint, CI runner, and image for litellm at 1.82.7 or 1.82.8; pin to a known-good version.
Rotate any credentials reachable from affected environments — SSH keys, cloud tokens, Kubernetes configs, and LLM API keys.
Review the audit trail for the install window to scope exposure precisely.
Add a policy gate: AI gateway packages must be pinned and verified before install.
Watch for unexpected outbound connections from Python processes at startup.

For the broader pattern, see our work on AI supply-chain attacks. To see your own gateway and agent posture, book a 30-minute demo.

Frequently asked questions

Which LiteLLM versions were malicious?

PyPI releases 1.82.7 and 1.82.8 were trojanized with a weaponized .pth file that executed automatically whenever the Python interpreter started. The malicious versions were quarantined by PyPI, but any environment that installed them during the window should be treated as compromised and have its credentials rotated.

What did the payload do?

The .pth startup hook enabled large-scale credential harvesting — sweeping SSH keys, cloud credentials, Kubernetes configs, and LLM API keys — and exfiltrating them, with reported follow-on lateral movement. Because it ran at interpreter startup, it executed across local environments, CI/CD, and production workloads.

How does Anomity help against AI supply-chain attacks like this?

Anomity inventories AI gateways, agents, and the tooling around them across managed endpoints and surfaces the installed versions, so identifying every host that pulled a known-bad release is a single query. It records install and change events in a 90-day audit trail, and on agents that expose a hook it can deny the tool calls a credential-stealing payload would attempt.