Your Python Environment Might Be Compromised by litellm (And Here's How to Check)

What Happened to LiteLLM On March 24, 2026, someone published two malicious versions of the popular litellm Python package to PyPI. Versions 1.82.7 and 1.82.8 contained a full-blown backdoor that harvested credentials, established persistence, and phoned home to a command and control server. The kicker? The attacker didn't hack PyPI directly. They poisoned a security scanner (Trivy) that LiteLLM's own CI/CD pipeline trusted. The scanner stole the PyPI publish token, and the attacker used it to push compromised packages that looked completely legitimate. The malicious versions were live for about three hours before PyPI pulled them. Three hours is a long time when you have automated deployments. The Attack Chain Here's how the whole thing unfolded, step by step: Two things make this especially nasty: Version 1.82.7 embedded the payload in litellm/proxy/proxy_server.py . It triggered when you imported the module. Standard stuff for malicious packages. Version 1.82.8 went further. It drop