Don't Let Your AI Agents Hold Their Own Credentials

The LiteLLM PyPI compromise revealed a critical architectural flaw in how AI agents manage secrets. A hidden .pth file executed at Python startup, harvesting environment variables, SSH keys, and cloud credentials before any application code ran. The Supply Chain Attack That Worked Because Credentials Were There On March 25, 2026, versions 1.82.7 and 1.82.8 of LiteLLM—a popular Python routing layer for AI model providers—were compromised on PyPI. The attack used a .pth file that executes automatically when Python starts, requiring no imports. The payload collected: Environment variables (API keys, service tokens, database passwords) SSH private keys and authorized_keys files AWS credentials, IMDS tokens, and IAM role files Kubernetes configs and service account tokens Docker authentication configs Git credentials and shell history Cryptocurrency wallet directories The encrypted data was sent to a domain mimicking the legitimate service. This succeeded not because the attack was sophisti