Full Report
This is news: A malicious supply chain compromise has been identified in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file (litellm_init.pth, 34,628 bytes) which is automatically executed by the Python interpreter on every startup, without requiring any explicit import of the litellm module. There are a lot of really boring things we need to do to help secure all of these critical libraries: SBOMs, SLSA, SigStore. But we have to do them.
Analysis Summary
# Incident Report: Supply Chain Compromise of PyPI Package `litellm`
## Executive Summary
A malicious supply chain compromise was identified in version 1.82.8 of the popular Python package `litellm` hosted on the Python Package Index (PyPI). The attackers embedded a malicious `.pth` file within the distributed wheel file, allowing for automatic code execution upon any Python startup on the infected system. The incident underscores the ongoing vulnerability of the Python ecosystem to unauthorized package modifications.
## Incident Details
- **Discovery Date:** April 8, 2026 (based on publication)
- **Incident Date:** Circa April 2026
- **Affected Organization:** PyPI (Distribution), Users of `litellm`
- **Sector:** Software Development / AI Infrastructure
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to April 8, 2026
- **Vector:** Supply Chain Compromise (Unauthorized modification of package version 1.82.8)
- **Details:** Attackers successfully injected a malicious file into the published "wheel" (.whl) distribution of the `litellm` package on PyPI.
### Lateral Movement
- **Details:** Not explicitly detailed in the report, though the nature of the compromise allows for persistence across any Python application running in the same environment.
### Data Exfiltration/Impact
- **Details:** The malicious payload gains execution every time the Python interpreter starts, bypassing the need for a user to explicitly `import litellm`.
### Detection & Response
- **How it was discovered:** identified via security researchers (Truesec) and publicized by Schneier on Security.
- **Response actions taken:** Community notification and industry awareness regarding the specific version (1.82.8).
## Attack Methodology
- **Initial Access:** Supply Chain Interruption (Tampered package distribution).
- **Persistence:** Use of a `.pth` file (`litellm_init.pth`). Python automatically executes code within `.pth` files found in the `site-packages` directory during interpreter initialization.
- **Privilege Escalation:** Inherits permissions of the user/process running the Python interpreter.
- **Defense Evasion:** Execution occurs without an explicit `import` statement, making it invisible to standard code audits that only look at internal script imports.
- **Impact:** Arbitrary code execution (34,628 bytes of malicious payload).
## Impact Assessment
- **Financial:** Potential for significant costs related to remediation for downstream users utilizing `litellm` in production AI environments.
- **Data Breach:** Risk of credential theft (API keys for LLMs) due to the nature of the `litellm` library.
- **Operational:** Disruption of CI/CD pipelines and production environments upon discovery and required cleanup.
- **Reputational:** Erosion of trust in the PyPI ecosystem and the specific library maintainers.
## Indicators of Compromise
- **File indicators:**
- Filename: `litellm_init.pth`
- Size: 34,628 bytes
- Location: Found within the `litellm-1.82.8` distribution wheel.
- **Behavioral indicators:** Unexpected outbound network connections from the Python interpreter on startup; presence of unauthorized `.pth` files in `site-packages`.
## Response Actions
- **Containment measures:** Users advised to avoid or uninstall `litellm` version 1.82.8 immediately.
- **Eradication steps:** Delete the infected environment and search for the specific `litellm_init.pth` file in Python installation directories.
- **Recovery actions:** Revert to a known good version (e.g., 1.82.7 or a patched successor).
## Lessons Learned
- **Implicit Execution:** The use of `.pth` files for malware delivery is a potent technique because it triggers during interpreter setup, not module loading.
- **Verification Gaps:** Relying solely on the presence of a package on PyPI without cryptographic verification or SBOMs remains a high risk.
## Recommendations
- **Maintainers:** Implement SLSA (Supply-chain Levels for Software Artifacts) and use SigStore for signing releases.
- **Users:** Generate and audit Software Bill of Materials (SBOMs) to track dependencies.
- **Security Teams:** Monitor for the creation of `.pth` files in production environments and implement strict version pinning with hash checking (`pip install --hash`).