When Your LLM Proxy Becomes the Attack Vector

Yesterday, LiteLLM — the Python library that ~95 million monthly downloads use to route LLM API calls — published two compromised versions to PyPI. The malware steals every secret it can find, phones home to a lookalike domain, and tries to pivot into your Kubernetes cluster. Let me walk through what happened, why it matters for AI agent operators, and the architectural lesson hiding underneath. What Actually Happened Versions 1.82.7 and 1.82.8 were pushed directly to PyPI — no corresponding GitHub tag, no release notes, just a tampered package. The attack vector? A compromised Trivy security scanner in LiteLLM's CI/CD pipeline leaked PyPI credentials to the attacker. The payload is a .pth file — litellm_init.pth — which Python executes automatically on every interpreter startup when the package is installed. You don't even need to import litellm . Just having it in your environment is enough. Three stages: Harvest : SSH keys, .env files, AWS/GCP/Azure creds, K8s configs, database pass