Case title (English, concise) / 英文标题
LiteLLM PyPI Supply Chain Poisoning
中文标题(可选)
LiteLLM PyPI 供应链投毒事件
Submission bucket / 投稿类型
case (confirmed)
Risk category / 风险类别
supply-chain — Hallucination & Supply Chain
Severity / 严重度
high
Severity basis / 严重度依据
quantifiable-impact
CVE (if any)
N/A
AI tools involved / 涉及的 AI 工具
LiteLLM
TL;DR (one sentence) / 一句话摘要
Malicious LiteLLM 1.82.7/1.82.8 PyPI releases stole credentials and added host or Kubernetes persistence.
References / 参考来源
https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
https://www.ionix.io/threat-center/litellm-supply-chain-compromise-backdoored-pypi-packages-1-82-7-1-82-8/
https://www.bitsight.com/blog/litellm-versions-1-82-7-1-82-8-supply-chain-compromise
https://www.itpro.com/security/litellm-pypi-compromise-everything-we-know-so-far
https://developer.aliyun.com/article/1719859
AI-attribution evidence / AI 参与证据
This is an AI toolchain supply-chain incident rather than a confirmed case of AI-generated code introducing a vulnerability. The public evidence links the incident to LiteLLM, a Python LLM gateway commonly used to route requests to OpenAI, Anthropic, Azure, Vertex AI and other model providers. The risk is AI-specific because the poisoned dependency sits in AI application infrastructure and may expose model API keys, cloud credentials, Kubernetes credentials, and other secrets used by AI services.
Details / 详情
On 2026-03-24, public security reports disclosed that LiteLLM versions 1.82.7 and 1.82.8 on PyPI had been maliciously published or compromised. The reported malicious behavior included Python startup-hook execution, credential and host information collection, encrypted exfiltration, persistence on regular hosts, and Kubernetes-oriented persistence or lateral movement behavior.
LiteLLM is often deployed as a unified LLM gateway in production environments. It may hold API keys for multiple model providers, cloud credentials, database connection strings, and Kubernetes service credentials. Therefore, a poisoned LiteLLM package can affect more than a local development environment. It may expose credentials used by downstream AI applications and infrastructure.
A draft PR with the normalized case files has been prepared here:
#2
Pre-flight self-check / 投稿前自查
How would you like to be credited? / 您希望如何署名?
Y0uYuGe
Case title (English, concise) / 英文标题
LiteLLM PyPI Supply Chain Poisoning
中文标题(可选)
LiteLLM PyPI 供应链投毒事件
Submission bucket / 投稿类型
case (confirmed)
Risk category / 风险类别
supply-chain — Hallucination & Supply Chain
Severity / 严重度
high
Severity basis / 严重度依据
quantifiable-impact
CVE (if any)
N/A
AI tools involved / 涉及的 AI 工具
LiteLLM
TL;DR (one sentence) / 一句话摘要
Malicious LiteLLM 1.82.7/1.82.8 PyPI releases stole credentials and added host or Kubernetes persistence.
References / 参考来源
https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
https://www.ionix.io/threat-center/litellm-supply-chain-compromise-backdoored-pypi-packages-1-82-7-1-82-8/
https://www.bitsight.com/blog/litellm-versions-1-82-7-1-82-8-supply-chain-compromise
https://www.itpro.com/security/litellm-pypi-compromise-everything-we-know-so-far
https://developer.aliyun.com/article/1719859
AI-attribution evidence / AI 参与证据
This is an AI toolchain supply-chain incident rather than a confirmed case of AI-generated code introducing a vulnerability. The public evidence links the incident to LiteLLM, a Python LLM gateway commonly used to route requests to OpenAI, Anthropic, Azure, Vertex AI and other model providers. The risk is AI-specific because the poisoned dependency sits in AI application infrastructure and may expose model API keys, cloud credentials, Kubernetes credentials, and other secrets used by AI services.
Details / 详情
On 2026-03-24, public security reports disclosed that LiteLLM versions 1.82.7 and 1.82.8 on PyPI had been maliciously published or compromised. The reported malicious behavior included Python startup-hook execution, credential and host information collection, encrypted exfiltration, persistence on regular hosts, and Kubernetes-oriented persistence or lateral movement behavior.
LiteLLM is often deployed as a unified LLM gateway in production environments. It may hold API keys for multiple model providers, cloud credentials, database connection strings, and Kubernetes service credentials. Therefore, a poisoned LiteLLM package can affect more than a local development environment. It may expose credentials used by downstream AI applications and infrastructure.
A draft PR with the normalized case files has been prepared here:
#2
Pre-flight self-check / 投稿前自查
How would you like to be credited? / 您希望如何署名?
Y0uYuGe