ON 24 March 2026, StepSecurity reported a critical supply chain compromise in litellm==1.82.8: the PyPI package contains a malicious litellm_init.pth file that auto-executes a multi-stage credential stealer every time the Python interpreter starts, an issue disclosed in BerriAI/litellm#24512. The payload includes a 34,628‑byte litellm_init.pth listed in the package’s RECORD with a SHA-256 hash, indicating it was injected at publish time rather than through post-publish tampering.
The attack unfolds in three stages: a mass credential harvester that exfiltrates secrets via AES-256/RSA-4096 encrypted payloads to a C2 at models.litellm[.]cloud, a parallel persistence backdoor named sysmon[.]py registered as a systemd user service, and Kubernetes lateral movement that can deploy a privileged pod to every node to install the backdoor on the host OS.
Remediation calls for rotating all credentials, checking for the malicious .pth file and persistence backdoor, auditing Kubernetes clusters, and upgrading litellm to a clean version. Actions in CI/CD pipelines should assume secrets were exfiltrated and rotated accordingly.