ACCORDING to Securelist, a supply-chain attack in March 2026 saw malicious code injected into the Python library LiteLLM, with two trojanized versions, litellm==1.82.7 and litellm==1.82.8, uploaded to the PyPI repository on 24 March 2026. The attackers aimed at servers storing confidential data across AWS, Kubernetes, and NPM, as well as various databases such as MySQL, PostgreSQL and MongoDB, with a particular focus on database configurations.
The malware’s payload, delivered via Base64-encoded Python code, encrypted its output with AES-256-CBC and encrypted the session key with a pre-initialised RSA key before sending the archive to a remote C2 server. A notable feature is its multi-stage persistence: after initial execution, it can deploy a privileged pod in Kubernetes or register a systemd service for local persistence, enabling continued updates of payloads even after container termination.
The campaign also targeted cloud runtime secrets through IMDS and ECS access points, and the victims were observed across Russia, China, Brazil, the Netherlands and the UAE. OpenVSX variants and trojanised Checkmarx extensions further extended reach, with the Node[.]js version persisting locally rather than escalating privileges.