HappycapyGuide

By Connie · This article contains affiliate links. We may earn a commission at no extra cost to you if you sign up through our links.

AI Security

LiteLLM Supply Chain Attack: Are You Affected? What to Do Now

By Connie  ·  April 1, 2026  ·  8 min read

Security Alert — Action Required

LiteLLM versions 1.82.7 and 1.82.8 were compromised on March 24, 2026 by the TeamPCP threat group. If you installed or upgraded LiteLLM between 10:39 UTC and 16:00 UTC on March 24, treat your environment as compromised and rotate all credentials immediately. This article explains how to detect and remediate.

97MLiteLLM monthly downloads
1.82.7 / 1.82.8compromised versions
4TBdata claimed stolen from Mercor
$10BMercor valuation — first confirmed victim

What Happened: Timeline of the Attack

On March 24, 2026, the threat actor group TeamPCP compromised the PyPI publishing credentials of BerriAI — the company behind LiteLLM, the widely used open-source library that provides a unified interface to 100+ LLM APIs. Using those credentials, they published two malicious versions of the package: 1.82.7 and 1.82.8.

Date / TimeEvent
Mar 24, 10:39 UTCTeamPCP publishes malicious LiteLLM 1.82.7 to PyPI
Mar 24, ~12:00 UTCMalicious version 1.82.8 also published
Mar 24, 16:00 UTCPyPI security team quarantines the project
Mar 25, 2026Datadog Security Labs and ReversingLabs publish analysis
Mar 31, 2026BerriAI resumes publishing after Mandiant forensic audit
Mar 31 / Apr 1, 2026Mercor ($10B AI startup) confirms breach — first public victim
Apr 1, 2026Lapsus$ claims 4TB stolen from Mercor on leak site

The attack is part of a larger TeamPCP campaign that also compromised PyPI packages for Trivy (a security scanner used in CI/CD pipelines), Checkmarx (a code security tool), and Telnyx (a cloud communications SDK). The common thread: all are infrastructure tools embedded deep in developer workflows, giving the malware maximum opportunity to harvest credentials from build systems, CI/CD environments, and production servers.

What the Malware Did

The malicious LiteLLM versions contained a 3-stage backdoor nearly identical to the payloads used in the Trivy and Checkmarx compromises — suggesting all are from the same threat actor with a consistent toolkit.

StageWhat it doesTargets
1 — Credential harvestReads secrets from hardcoded file paths at install time~/.aws/credentials, .env files, SSH keys, Docker config
2 — Memory scanInspects process memory for in-memory secrets based on process namesRunning Python processes, CI/CD agents, Kubernetes pods
3 — PersistenceInstalls litellm_init.pth in site-packages for re-execution at every Python startupAll future Python processes on the infected machine

The C2 (command-and-control) exfiltration domain used was models[.]litellm.cloud — chosen specifically to blend in with legitimate LiteLLM traffic. A residual reference to checkmarx[.]zone in the persistence code links it to the earlier Checkmarx attack in the same campaign.

Stay focused on your work, not security fires

While you secure your stack, Happycapy handles research and analysis in a managed, secure environment. No open-source dependency chain to worry about.

Try Happycapy Free

Am I Affected? Detection Checklist

Run through this checklist now if your organization uses LiteLLM in any capacity — production, staging, CI/CD, local development, or Docker images.

1
Check your installed LiteLLM version
Run the following command in every environment where LiteLLM is installed:
pip show litellm # Look for: Version: 1.82.7 or 1.82.8 → COMPROMISED
2
Check for the persistence artifact
The malware installs a .pth file for persistence. Search for it:
# Python virtual environments find . -name "litellm_init.pth" # uv cache find ~/.cache/uv -name "litellm_init.pth" # System site-packages find /usr -name "litellm_init.pth" 2>/dev/null
3
Check CI/CD pipelines and Docker images
Any pipeline or image that ran 'pip install litellm' on March 24 between 10:39-16:00 UTC is potentially compromised. Check your pipeline logs for that timestamp.
# Example: check Docker build logs grep -r "litellm==1.82" ./Dockerfile ./requirements*.txt
4
Block the C2 domain at your firewall
If you find any evidence of compromise, block outbound connections to the C2 domain immediately:
# Block these domains: # models.litellm.cloud # checkmarx.zone

If You Are Affected: Remediation Steps

If you find evidence of compromise, act in this order:

  1. Isolate the affected system — take it offline or block outbound traffic immediately. Do not continue running workloads on a confirmed compromised host.
  2. Rotate all credentials — assume every secret the affected machine had access to is compromised: AWS/GCP/Azure API keys, OpenAI/Anthropic/Gemini API keys, database passwords, GitHub tokens, Kubernetes service accounts, .env variables.
  3. Upgrade LiteLLM — install the latest version published after March 31, 2026 (post-Mandiant audit). Any version after 1.82.8 from BerriAI is safe.
    pip install --upgrade litellm
  4. Remove the persistence artifact — delete any litellm_init.pth files found in site-packages directories.
  5. Audit your access logs — review outbound network connections to models.litellm.cloud and checkmarx.zone dating back to March 24. Any connection to these domains indicates active data exfiltration occurred.
  6. File an incident report — if you handle personal data (GDPR, CCPA, HIPAA jurisdictions), a supply chain breach of this nature may trigger mandatory breach notification requirements.

The Mercor Breach: What Was Stolen

Mercor, the AI-powered recruiting startup valued at $10 billion, is the first company to publicly confirm it was victimized by the LiteLLM supply chain attack. In a statement to TechCrunch on March 31 / April 1, the company said it was "one of thousands of companies" affected and has engaged third-party forensic experts.

Extortion group Lapsus$ separately claimed responsibility for the breach and posted on its leak site, alleging theft of approximately 4TB of data:

Data categorySize claimedPrivacy implications
Source code939 GBIP theft, further attack vectors
User database211 GBPII exposure — job seekers, employers
Video interviews + identity docs3 TBBiometric data, passport scans — GDPR/CCPA trigger
Tailscale VPN configurationUnknownInternal network access potentially exposed
Note on Lapsus$ claims

Lapsus$ claims should be treated as unverified until Mercor publishes forensic results. Extortion groups routinely inflate theft claims for leverage. Mercor has not confirmed the 4TB figure. Nonetheless, organizations that used Mercor and had identity or biometric data in the platform should monitor for breach notifications.

Why This Attack Pattern Is So Dangerous for AI Companies

LiteLLM occupies a uniquely dangerous position in the AI stack. It is not a peripheral library — it is a core infrastructure layer that sits between your application and every LLM API key you use. A compromised LiteLLM installation has direct access to:

  • OpenAI, Anthropic, Google Gemini, Mistral, and other LLM API keys
  • Database credentials (LiteLLM often proxies requests that touch backend data)
  • Cloud provider credentials (AWS, GCP, Azure) in the same environment
  • Customer data passing through AI pipelines

With 97 million monthly downloads and deep integration into AI startup tech stacks, LiteLLM was an extremely high-value target. The TeamPCP group targeted it for the same reason they targeted Trivy and Checkmarx: tools that developers install without scrutiny, that run with broad system access, and that touch secrets by design.

The broader lesson: the AI development ecosystem has accumulated significant supply chain risk. The speed at which AI companies adopt new libraries — often without internal security review — creates a large attack surface. Pinning dependency versions, using hash verification, and auditing new installs before production deployment are no longer optional practices for AI companies.

Your AI work, secured and managed

Happycapy is a fully managed AI platform — no package installs, no dependency chain, no supply chain risk. Just powerful AI for writing, research, and analysis at $17/month.

Start Free with Happycapy

Frequently Asked Questions

Which LiteLLM versions were compromised?

Versions 1.82.7 and 1.82.8 were compromised. The attack occurred on March 24, 2026, between 10:39 UTC and 16:00 UTC. If you installed or upgraded LiteLLM during that window, your environment is potentially compromised. Both versions have been removed from PyPI.

How do I check if my system was affected?

Run 'pip show litellm' to check your installed version. If it shows 1.82.7 or 1.82.8, you are affected. Also run 'find ~/.cache/uv -name "litellm_init.pth"' to check uv caches. Inspect all virtual environments and CI/CD pipelines that may have installed LiteLLM on March 24, 2026.

What did the LiteLLM malware do?

The malware was a 3-stage infostealer. Stage 1 harvested credentials from hardcoded file paths. Stage 2 scanned process memory for secrets. Stage 3 established persistence via a .pth file and exfiltrated data to C2 domain models[.]litellm.cloud. It targeted cloud credentials, API keys, database passwords, and environment variables.

What is LiteLLM and why does this matter?

LiteLLM is an open-source Python library that provides a unified interface to 100+ LLM APIs (OpenAI, Anthropic, Gemini, etc.). With 97 million monthly downloads, it is one of the most widely used libraries in AI development. A supply chain compromise means any company that installed the affected version during the attack window may have had their API keys and credentials stolen.

Sources
  • Jagmeet Singh, TechCrunch — "Mercor says it was hit by cyberattack tied to compromise of open-source LiteLLM project" (March 31, 2026)
  • Datadog Security Labs — "LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP supply chain campaign" (March 24, 2026)
  • ReversingLabs — "Inside the TeamPCP cascading supply chain attack" (March 30, 2026)
  • LiteLLM official security update — docs.litellm.ai/blog/security-update-march-2026
  • Help Net Security — "LiteLLM PyPI packages compromised in expanding TeamPCP supply chain attacks" (March 25, 2026)
  • Kaspersky — "Trojanization of Trivy, Checkmarx, and LiteLLM solutions" (March 26, 2026)
  • Happycapy AI — managed AI workspace for knowledge workers
SharePost on XLinkedIn
Was this helpful?

Get the best AI tools tips — weekly

Honest reviews, tutorials, and Happycapy tips. No spam.

Comments