{"id":"PYSEC-2026-2","summary":"Two litellm versions published containing credential harvesting malware","details":"After an API Token exposure from an exploited Trivy dependency,\ntwo new releases of `litellm` were uploaded to PyPI containing automatically activated malware,\nharvesting sensitive credentials and files, and exfiltrating to a remote API.\n\nThe malicious code runs during importing any module from the package and scans\nthe file system and environment variables, collecting all kinds of\nsensitive data, including but not limited to private SSH keys, credentials to Git and\nDocker repositories, dotenv files, tokens to Kubernetes service accounts,\ndatabases and LDAP configuration. Also exfiltrated are multiple shell history\nfiles and cryptowallet keys. The malware actively attempts to obtain cloud access tokens\nfrom metadata servers and retrieve secrets stored in AWS Secrets Manager.\nAll collected data are sent to the domain models.litellm[.]cloud\n\nFurthermore, the code includes a persistence mechanism by configuring\na SystemD service unit masqueraded as \"System Telemetry Service\" on the host it\nruns on, and in a Kubernetes environment also by creating a new pod.\nThe persistence script then contacts hxxps://checkmarx[.]zone/raw for\nfurther instructions.\n\nAnyone who has installed and run the project should assume\nany credentials available to litellm environment may have been exposed,\nand revoke/rotate them accordingly. The affected environment should be\nisolated and carefully reviewed against any unexpected modifications \nand network traffic.\n","aliases":["MAL-2026-2144"],"modified":"2026-03-25T16:45:07.164747Z","published":"2026-03-24T16:15:08.809028Z","references":[{"type":"EVIDENCE","url":"https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"},{"type":"EVIDENCE","url":"https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"},{"type":"REPORT","url":"https://github.com/BerriAI/litellm/issues/24518"},{"type":"ARTICLE","url":"https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/"},{"type":"ARTICLE","url":"https://www.wiz.io/blog/teampcp-attack-kics-github-action"},{"type":"ARTICLE","url":"https://docs.litellm.ai/blog/security-update-march-2026"}],"affected":[{"package":{"name":"litellm","ecosystem":"PyPI","purl":"pkg:pypi/litellm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.82.7"},{"last_affected":"1.82.8"}]}],"versions":["1.82.7","1.82.8"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/litellm/PYSEC-2026-2.yaml"}}],"schema_version":"1.7.5","credits":[{"name":"Callum McMahon, Futuresearch","type":"REPORTER"},{"name":"Mike Fiedler","type":"COORDINATOR"},{"name":"Kamil Mańkowski","type":"ANALYST"}]}