A malicious version of litellm, a popular Python library for managing large language model API calls, was published to the Python Package Index overnight and quarantined within hours, but the compromise highlights a particularly insidious feature of the Python packaging ecosystem that made the attack harder to detect than a typical supply-chain breach.
The library, litellm version 1.82.8, was published to PyPI at 10:52 UTC on March 24 and contained a malicious file called litellm_init.pth. According to Simon Willison's analysis, that file type is a Python path configuration file that executes automatically every time the Python interpreter starts on the machine, regardless of whether the litellm library itself is ever imported. In other words, simply having the package installed was enough to trigger the malicious code. Version 1.82.7 has also been confirmed compromised, according to the LiteLLM team GitHub issue.
Once activated, the code sifts through the infected system and exfiltrates credentials and secrets from more than 30 locations. The list runs from the obvious ones, SSH keys and git credentials, to AWS and Kubernetes configuration, Docker credentials, npmrc tokens, Vault session files, and into cryptocurrency wallet directories. The stolen data is transmitted to a hardcoded IP address. The LiteLLM maintainers posted a detailed breakdown on GitHub.
The developers who should be most concerned are those running litellm in production. The library is widely used to proxy and manage LLM API calls across multiple providers, which means a production deployment of litellm almost certainly has API keys for OpenAI, Anthropic, and other services sitting in its environment. If that environment ran litellm 1.82.7 or 1.82.8, those keys should be treated as compromised and rotated immediately.
PyPI quarantined the package quickly, limiting the exposure window to a matter of hours. The fix is to update to litellm 1.82.9 and rotate every credential that existed on any machine where the compromised versions were installed. The GitHub issue also includes a site-packages check to confirm whether litellm_init.pth is present on a given system.
The .pth technique is not new, but it is an underappreciated risk in the Python packaging ecosystem. Unlike a malicious import statement, a .pth file fires without any explicit interaction from the developer or any call to the compromised library. It is a quiet persistence mechanism that works at the operating system level once the package is installed. Anyone running automated CI/CD pipelines that pull Python dependencies on a schedule should treat this as a reminder that unverified updates in a production environment are a supply-chain exposure, not just a licensing question.
