According to 1M AI News monitoring, Andrej Karpathy, co-founder of OpenAI, posted that the supply chain attack targeting the AI agent development tool LiteLLM is "essentially the most terrifying thing in modern software." LiteLLM has 97 million monthly downloads; the compromised versions v1.82.7 and v1.82.8 have been taken down from PyPI.

A single command pip install litellm is sufficient to exfiltrate SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes configurations, git credentials, environment variables (including all API keys), shell history, encrypted wallets, SSL private keys, CI/CD secrets, and database passwords from the machine. The malicious payload encrypts stolen data using 4096-bit RSA before transmitting it to a spoofed domain models.litellm.cloud, and additionally attempts to deploy privileged containers within the kube-system namespace of Kubernetes clusters to establish persistent backdoors.

The threat is further amplified by its contagion: any project depending on LiteLLM becomes compromised as well—e.g., pip install dspy (which depends on litellm>=1.64.0) will also trigger the malicious code. The compromised versions remained on PyPI for only about one hour before detection, ironically due to a bug in the attacker’s own malicious code causing memory exhaustion and system crash. Developer Callum McMahon discovered the breach when LiteLLM was pulled in as a transitive dependency via an MCP plugin used in the AI coding tool Cursor; upon installation, his machine immediately crashed, exposing the attack. Karpathy commented: "Had the attackers not made a mistake with their vibe code this time, the breach might have gone undetected for days or even weeks."

The threat group TeamPCP exploited a misconfiguration in Trivy's vulnerability scanner within GitHub Actions’ CI/CD pipeline to compromise LiteLLM’s infrastructure in late February, stealing PyPI publish tokens. They then bypassed GitHub directly to upload malicious versions to PyPI. Berri AI CEO Krrish Dholakia, maintainer of LiteLLM, confirmed all publish tokens have been revoked and plans to transition to a JWT-based trusted publishing mechanism. PyPA issued security advisory PYSEC-2026-2, urging all users who installed affected versions to assume every credential in their environment has been exposed and to rotate them immediately.