According to 1M AI News, Andrej Karpathy, a founding member of OpenAI, posted that the supply chain attack on the AI agent development tool LiteLLM is “one of the most terrifying things in modern software.” The two compromised versions, v1.82.7 and v1.82.8, have been removed from PyPI; LiteLLM has 97 million monthly downloads.
A single command, pip install litellm, is sufficient to steal SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes configurations, Git credentials, environment variables (including all API keys), shell history, encrypted wallets, SSL private keys, CI/CD keys, and database passwords. The malicious code packages the data using 4096-bit RSA encryption and exfiltrates it to the spoofed domain models.litellm.cloud, and also attempts to create a privileged container in the kube-system namespace of the Kubernetes cluster to establish a persistent backdoor.
Even more dangerous is the contagion: any project depending on LiteLLM would be affected as well—for example, `pip install dspy` (which depends on litellm>=1.64.0) would also trigger the malicious code. The compromised version remained on PyPI for only about an hour before being discovered, ironically due to a bug in the attacker’s own malicious code that caused a memory exhaustion crash. Developer Callum McMahon encountered the attack when using an MCP plugin in the AI coding tool Cursor, which pulled in LiteLLM as a transitive dependency; after installation, his machine crashed, exposing the attack. Karpathy commented: “If the attacker hadn’t used vibe code, this attack might have gone undetected for days or even weeks.”
The attack group TeamPCP exploited a misconfiguration in the Trivy vulnerability scanner within GitHub Actions' CI/CD pipeline at the end of February, stealing PyPI release tokens and subsequently uploading malicious versions directly to PyPI, bypassing GitHub. Berri AI CEO Krrish Dholakia, maintainer of LiteLLM, stated that all release tokens have been revoked and plans are underway to transition to a JWT-based trusted publishing mechanism. PyPA has issued a security advisory, PYSEC-2026-2, recommending that all users who installed affected versions assume all credentials in their environment have been compromised and rotate them immediately.
LiteLLM malware attack exposed by Andrej Karpathy: steals API keys and cloud credentials
ChainthinkShare
Summary
LiteLLM malware attack surfaces emerge in on-chain news, with malicious versions v1.82.7 and v1.82.8 stealing API keys and cloud credentials. Attackers used RSA-encrypted channels to exfiltrate data to a fake domain and attempted to implant backdoors in Kubernetes clusters. The breach resulted from a GitHub Actions misconfiguration exploited by TeamPCP, which stole PyPI release tokens. LiteLLM has revoked all tokens and will transition to JWT-based publishing. PyPA has issued advisory PYSEC-2026-2, urging users to assume all credentials are compromised. Inflation data remains a secondary concern amid this security crisis.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.