LiteLLM PyPI Package Compromise
Affected packages contain malicious code that can exfiltrate secrets and establish persistence
Summary
Affected packages contain malicious code that can exfiltrate secrets and establish persistence
Affected platforms
The following platforms are known to be affected:
LiteLLM versions 1.82.7 and 1.82.8
Threat details
Introduction
Security researchers have identified a supply-chain compromise affecting specific versions of the LiteLLM PyPI package, a widely used API gateway allowing developers to access hundreds of large language models.
The malicious packages were uploaded at 10:39 UTC on 24th March 2026 and quarantined by PyPI at 13:38 UTC later that day.
Compromised versions contain malicious code with information stealer capabilities that can extract and exfiltrate secrets from an affected device, and also installs a persistence mechanism that can survive system reboots. The malicious code does not require LiteLLM to be imported once installed, it will be executed on every Python invocation within that environment.
It is suspected that this activity is related to the Trivy supply-chain compromise covered in CC-4758.
Remediation advice
The NHS England National CSOC recommends impacted organisations review the GitHub LiteLLM issue 24512 and follow the remediation steps detailed below.
Remediation steps
| Type | Step |
|---|---|
| Guidance |
Check for LiteLLM versions 1.82.7 or 1.82.8 https://www.endorlabs.com/learn/teampcp-isnt-done |
| Guidance |
If you find evidence of the compromised packages, follow the guidance linked below to remove the persistence mechanism and rotate all secrets that the affected device has access to. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://www.endorlabs.com/learn/teampcp-isnt-done |
Definitive source of threat updates
Last edited: 25 March 2026 1:25 pm