SECURITY ALERT: Supply Chain Attack - Malicious code in litellm PyPI Package

Product / Version includes:

TrendAI Vision One™ All

Last updated: 2026/03/27

Solution ID: KA-0022880

Category:

Summary

A critical supply chain attack targeted the Python package ecosystem by introducing a malicious version of the litellm package (v1.82.8 and v1.82.7) on PyPI. This version included a .pth file (litellm_init.pth on v1.82.8) and a .py (proxy_server.py on v1.82.8) that executed a credential-stealing payload automatically on every Python interpreter startup, exfiltrating sensitive information from victim systems to an attacker-controlled server.

The attack affected developers, CI/CD pipelines, containers, and production servers globally, stealing SSH keys, cloud credentials, and other secrets.

Please visit TrendAI's blog - Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise - for more detailed information.

Attack Chain

•   Initial Access: The attacker gained access to the supply chain by uploading a compromised package to PyPI, which was then installed by unsuspecting users.
•   Execution: The malicious .pth file was automatically executed on Python interpreter startup, triggering the credential-stealing payload without requiring an explicit import.
•   Collection: The payload gathered a wide range of sensitive data, including system information, environment variables, SSH keys, cloud provider credentials, and more.
•   Exfiltration: Collected data was encrypted and sent to an attacker-controlled domain via a POST request using curl.

TrendAI Protection and Detection Against Exploitation

As information is unfolding in real-time on this incident, TrendAI has released several critical information pieces and protections against known components:

TrendAI Vision One™

Threat Intelligence Hub

TrendAI has added some information in the Vision One Threat Intelligence Hub that is closely tracking activities known to be part of this attack.

IoC Sweeping

TrendAI integrates up-to-the-minute intelligence reports from internal and external sources to help identify potential threats in your environment.

Patterns, Models & Signatures

Includes TrendAI Vision One Endpoint Security, TrendAI Vision One Server and Workload Security, TrendAI Deep Security, and all other products that utilize malware file scanning technologies.

TrendAI has created protection patterns with the following detections for IoCs known to be related to this attack:

TrojanSpy.Python.TPCPSTEAL.A
Trojan.Python.MALPYLOADER.A
Trojan.Python.PYSTEALER.A
Trojan.JS.CANISTERWORM.A
Backdoor.JS.CANISTERWORM.A
Worm.JS.CANISTERWORM.A

TrendAI Vision One - Container Security

Container image malware scan via TrendAI Artifact Scanner (TMAS) and runtime malware scan can also detect based on the listed VSAPI detections related to compromised LiteLLM packages with known malware.

Container image vulnerability scan can identify the related GHSA-5mg7-485q-xm76 for the LiteLLM packages.

Web Reputation Services (WRS)

TrendAI products that utilize WRS technology to proactive block potentially malicious sites also have protection against suspected vectors in associated campaigns.

Specifically, TrendAI has added several IP addresses and URLs that are now being classified as:

Disease Vectors
Command and Control (C&C) Servers

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: Supply Chain Attack - Malicious code in litellm PyPI Package

Attack Chain

TrendAI Protection and Detection Against Exploitation

SECURITY ALERT: Supply Chain Attack - Malicious code in litellm PyPI Package

Product / Version includes:

Summary

Attack Chain

TrendAI Protection and Detection Against Exploitation