LiteLLM, the widely-used Python package that provides a unified interface to 100+ LLM APIs, was compromised in a supply-chain attack. The incident, reported in GitHub issue #24512 and drawing 552 points on Hacker News, affects a package that by design holds API keys for OpenAI, Anthropic, Azure, and dozens of other providers — making it an exceptionally high-value target.
What makes this particularly nasty: LiteLLM isn't some obscure utility. It's a core dependency in thousands of AI pipelines, LLM gateways, and production proxy setups. If you run `litellm --model gpt-4` or use it as a proxy server, the package has direct access to every API key you've configured. A compromised version could exfiltrate credentials silently — and the attacker would get keys to every LLM provider you use in a single grab.
This follows a pattern we've seen accelerating in 2025-2026: attackers targeting AI/ML packages specifically because they sit at a trust boundary where credentials are abundant. PyPI supply-chain attacks have hit ultralytics, pytorch-nightly, and other ML packages before. But LiteLLM's role as a credential aggregator makes it arguably the highest-leverage target in the LLM tooling ecosystem.
What to do right now:
1. Check which version of litellm you have installed (`pip show litellm`). Cross-reference against the affected versions listed in the GitHub issue. 2. If you're running an affected version: rotate every API key that LiteLLM had access to. Not tomorrow — now. That means OpenAI, Anthropic, Azure, Cohere, and any other provider you've configured. 3. Pin your dependencies. If you're pulling `litellm` without a version pin in production, this is the wake-up call. 4. Audit your install source. Verify you're pulling from the official PyPI package and not a typosquat variant.
The broader lesson isn't new but keeps getting more expensive: the Python packaging ecosystem's trust model doesn't match the threat landscape. PyPI accounts protected by a password are a single point of failure for packages that handle credentials worth thousands of dollars per month. Mandatory 2FA for critical packages (which PyPI has been rolling out) can't come fast enough.
We'll update this as more details emerge from the maintainers' post-mortem. The GitHub issue thread is active and worth following directly.
We just can't trust dependencies and dev setups. I wanted to say "anymore" but we never could. Dev containers were never good enough, too clumsy and too little isolation. We need to start working in full sandboxes with defence in depth that have real guardrails and UIs like vm isolati
This is tied to the TeamPCP activity over the last few weeks. I've been responding, and keeping an up to date timeline. I hope it might help folks catch up and contextualize this incident:https://ramimac.me/trivy-teampcp/#phase-09
Also, not surprising that LiteLLM's SOC2 auditor was Delve. The story writes itself.
Besides main issue here, and the owners account being possibly compromised as well, there's like 170+ low quality spam comments in there.I would expect better spam detection system from GitHub. This is hardly acceptable.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
LiteLLM maintainer here, this is still an evolving situation, but here's what we know so far:1. Looks like this originated from the trivvy used in our ci/cd - https://github.com/search?q=repo%3ABerriAI%2Flitellm%20trivy... https://ramimac.me/trivy-teampcp/