The LiteLLM Supply Chain Attack Broke Trust in Python-Based AI Infrastructure

If you run LiteLLM in production, you probably had a rough week. On March 24, 2026, two backdoored versions of litellm (1.82.7 and 1.82.8) were published to PyPI using stolen credentials. The malware stole SSH keys, AWS/GCP/Azure credentials, Kubernetes secrets, cryptocurrency wallets, and deployed persistent backdoors on infected machines. It was live for about 3 hours. LiteLLM gets 3.4 million daily downloads. This is the full breakdown of what happened, why it matters, and what you should actually do about it. What Happened: The Full Attack Chain The attack didn't start with LiteLLM. It started with Trivy, a popular container security scanner. Here's the sequence: A threat actor group called TeamPCP exploited a pull_request_target workflow vulnerability in Trivy's GitHub Action (GHSA-9p44-j4g5-cfx5) They used this to exfiltrate the aqua-bot credentials and rewrite Trivy v0.69.4 release tags to point to malicious payloads On March 23, they also compromised the Checkmarx KICS GitHub A