The LiteLLM Attack Reveals a Hidden Risk in Every AI Developer's Stack

The LiteLLM Attack Reveals a Hidden Risk in Every AI Developer's Stack On March 24, 2026, at 10:52 UTC, litellm version 1.82.8 was published to PyPI. It contained malware. Within 46 minutes, 46,996 downloads had occurred. SSH keys, AWS credentials, GCP tokens, Kubernetes configs, .env files, and API keys were being exfiltrated to an attacker-controlled server at https://models.litellm.cloud/ . The attack was discovered not by a security team, but by a developer at FutureSearch who noticed their laptop had frozen — what they initially assumed was a runaway Claude Code loop turned out to be a fork bomb triggered by the malicious .pth file. "This is malware in the litellm PyPI package. The litellm_init.pth file is a supply chain attack that executes on EVERY Python startup." — FutureSearch incident report What Happened: The Full Timeline The attack was part of a coordinated supply chain campaign by threat actor group "TeamPCP": Time (UTC, Mar 24) Event Pre-incident (Mar 19–23) TeamPCP com