A supply chain attack compromised the LiteLLM Python package via a polluted CI/CD pipeline, where attackers exploited a misconfiguration in the Trivy GitHub Action to steal a privileged token and publish malicious versions to PyPI. Specifically, versions 1.82.7 and 1.82.8 of LiteLLM contain credential-stealing code in the `litellm_init.pth` file and have been removed from PyPI. Users must verify they are not running these compromised versions and should revoke any exposed credentials, while maintainers are advised to review their CI/CD security and implement trusted publishing mechanisms.
Security LiteLLM loses game of Trivy pursuit, gets compromised Python interface for LLMs infected with malware via polluted CI/CD pipeline Thomas Claburn Tue 24 Mar 2026 // 19:11 UTC Two versions of LiteLLM, an open source interface for accessing multiple large language models, have been removed from the Python Package Index (PyPI) following a supply chain attack that injected them with malicious credential-stealing code. Specifically, LiteLLM v1.82.7 and v1.82.8 have been taken down because they contain credential-stealing code in a component file, litellm_init.pth . Krrish Dholakia, CEO of Berri AI , which maintains LiteLLM, said in an online post that the compromise appears to have originated from the use of Trivy in the project's CI/CD pipeline. Trivy is an open source vulnerability scanner maintained by Aqua Security that many other projects include as a security measure. The malware campaign began in late February, when the attackers took advantage of a misconfiguration in Trivy's GitHub Actions environment to steal a privileged access token that allowed the manipulation of CI/CD, according to Aqua Security . The software was subverted on March 19, when attackers referred to as TeamPCP used compromised credentials to publish a malicious Trivy release (v0.69.4), and again on March 22, when malicious Trivy versions v0.69.5 and v0.69.6 were published as DockerHub images. But Aqua Security explains that the approach taken by the attackers was more sophisticated than just uploading a new malicious version of Trivy. "By modifying existing version tags associated with [the GitHub Action script] trivy-action, they injected malicious code into workflows that organizations were already running," the company said. "Because many CI/CD pipelines rely on version tags rather than pinned commits, these pipelines continued to execute without any indication that the underlying code had changed." Telling an AI model that it's an expert programmer makes it a worse programmer Mozilla introduces cq, describing it as 'Stack Overflow for agents' SAP already shifting focus from ERP migration disaster in pursuit of AI-driven growth Remote or not, workers are drifting back toward the city Dholakia said that LiteLLM's PYPI_PUBLISH token, stored in the project's GitHub repo as an .env variable, got sent to Trivy, where attackers got ahold of it, then used it to push new LiteLLM code. "We have deleted all our PyPI publishing tokens," he said . "Our accounts had 2fa, so it's a bad token here. We're reviewing our accounts, to see how we can make it more secure (trusted publishing via JWT tokens, move to a different PyPI account, etc.)." In another twist, the GitHub vulnerability report appears to have been targeted with a spam attack designed to distract and obscure useful comments about the report. At 05:44 AM PDT, dozens of presumably AI-generated variations of "Thanks, that helped!" flooded the repo. According to security researcher Rami McCarthy , 19 of the 25 accounts used to post were also used in the Trivy spam campaign. The Python Packaging Authority (PyPA) has published a security advisory about the LiteLLM compromise. "Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly," the advisory says. ® Share More about AI Python Security More like these × More about AI Python Security Software Narrower topics 2FA AdBlock Plus Advanced persistent threat AIOps App Application Delivery Controller Audacity Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Confluence Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Database Data Breach Data Protection Data Theft DDoS DeepSeek DEF CON Digital certificate Encryption End Point Protection Exploit Firewall FOSDEM FOSS Gemini Google AI Google Project Zero GPT-3 GPT-4 Grab Graphics Interchange Format Hacker Hacking Hacktivism IDE Identity Theft Image compression Incident response Infosec Infrastructure Security Jenkins Kenna Security Large Language Model Legacy Technology LibreOffice Machine Learning Map MCubed Microsoft 365 Microsoft Office Microsoft Teams Mobile Device Management NCSAM NCSC Neural Networks NLP OpenOffice Palo Alto Networks Password Personally Identifiable Information Phishing QR code Quantum key distribution Ransomware Remote Access Trojan Retrieval Augmented Generation Retro computing REvil RSA Conference Search Engine Software Bill of Materials Software bug Software License Spamming Spyware Star Wars Surveillance Tensor Processing Unit Text Editor TLS TOPS Trojan Trusted Platform Module User interface Visual Studio Visual Studio Code Vulnerability Wannacry WebAssembly Web Browser WordPress Zero trust Broader topics Programming Language Self-driving Car More about Share POST A COMMENT More about AI Python Security More like these × More about AI Python Security Software Narrower topics 2FA AdBlock Plus Advanced persistent threat AIOps App Application Delivery Controller Audacity Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Confluence Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Database Data Breach Data Protection Data Theft DDoS DeepSeek DEF CON Digital certificate Encryption End Point Protection Exploit Firewall FOSDEM FOSS Gemini Google AI Google Project Zero GPT-3 GPT-4 Grab Graphics Interchange Format Hacker Hacking Hacktivism IDE Identity Theft Image compression Incident response Infosec Infrastructure Security Jenkins Kenna Security Large Language Model Legacy Technology LibreOffice Machine Learning Map MCubed Microsoft 365 Microsoft Office Microsoft Teams Mobile Device Management NCSAM NCSC Neural Networks NLP OpenOffice Palo Alto Networks Password Personally Identifiable Information Phishing QR code Quantum key distribution Ransomware Remote Access Trojan Retrieval Augmented Generation Retro computing REvil RSA Conference Search Engine Software Bill of Materials Software bug Software License Spamming Spyware Star Wars Surveillance Tensor Processing Unit Text Editor TLS TOPS Trojan Trusted Platform Module User interface Visual Studio Visual Studio Code Vulnerability Wannacry WebAssembly Web Browser WordPress Zero trust Broader topics Programming Language Self-driving Car TIP US OFF Send us news