The LiteLLM Malware Attack: What AI Developers Must Know

March 27, 2026 | Security, AI Infrastructure

On March 24, 2026, a developer's laptop froze with 11,000 Python processes. What looked like a bug turned out to be a supply chain attack in one of AI's most popular packages.

        TL;DR: litellm version 1.82.8 on PyPI contained malware that stole SSH keys, AWS credentials, GCP secrets, Kubernetes tokens, crypto wallets, and more. It self-replicated into a fork bomb that crashed systems.
    

What Happened

LiteLLM is a widely-used Python package that provides a unified API for 100+ LLM providers. It's installed thousands of times daily. On March 24, version 1.82.8 was uploaded to PyPI containing a hidden payload:

litellm_init.pth - a file that executes on every Python startup
Stole credentials from SSH keys, AWS, GCP, Kubernetes, database passwords, crypto wallets
Exfiltrated data to models.litellm.cloud
Installed persistence via systemd services
Spread to Kubernetes cluster nodes via privileged pods
Self-replicated into a fork bomb (hence the 11k processes)

The Attack Timeline

10:52 UTC - Malicious package uploaded to PyPI

10:58 UTC - Victim's MCP server downloads litellm + 77 dependencies

11:07 UTC - Persistence installed, fork bomb begins

11:09 UTC - System crashes, hard power-off

11:13 UTC - Investigation begins with Claude Code

11:40 UTC - Malware identified

11:58 UTC - Confirmed live on PyPI, emails sent

12:02 UTC - Public disclosure published

From discovery to disclosure: less than an hour. This is the speed at which security now moves in the AI era.

How AI Helped Detect It

Here's the remarkable part: Claude Code helped analyze the entire attack in real-time. The victim used Claude Code to:

Parse macOS shutdown logs and identify frozen processes
Decode base64 payloads and trace execution chains
Search installed packages for the malicious .pth file
Identify the full scope of the attack (credential theft, persistence, Kubernetes spread)
Draft the public disclosure

This isn't just about AI writing code anymore. AI is now accelerating security research - both for attackers and defenders.

What This Means for AI Developers

1. Supply Chain Risk is Real

Every pip install is a trust decision. This attack was in a package with 20K+ GitHub stars. Popularity does not equal security.

2. .pth Files Are Dangerous

Python's site-packages .pth files execute arbitrary code on every Python startup. This is a known vector but rarely discussed. Check your environments.

3. MCP Servers Multiply Risk

The victim was infected through an MCP server that installed litellm. Every MCP server you run is an additional attack surface. Audit your MCP configurations.

How to Protect Yourself

# Check for suspicious .pth files
find ~/.local/lib/python*/site-packages -name "*.pth" -exec cat {} \;

# Check for unexpected systemd services
ls ~/.config/systemd/user/

# Use pip-audit to check for known vulnerabilities
pip install pip-audit
pip-audit

# Pin your dependencies
pip freeze > requirements.txt
# Review and pin specific versions

Additional Steps

Use ulimit -u 2048 to prevent fork bombs
Run untrusted packages in containers, not on your host
Monitor outgoing network connections (the malware phoned home)
Rotate credentials if you installed litellm recently
Use dependency pinning and hash verification

The Bigger Picture

The FutureSearch team noted something profound: "Developers not trained in security research can now sound the alarm at a much faster rate than previously. AI tooling has sped up not just the creation of malware but also the detection."

This attack was uploaded at 10:52 and detected by 11:40. In the pre-AI era, this could have gone undetected for weeks. The cat-and-mouse game just got faster.

For AI developers building with LLMs, agents, and MCP servers, the lesson is clear: your tools are now part of your attack surface. Every package, every MCP server, every agent action is a potential vector.

Secure Your AI Stack

Learn how to set up AI tools safely with proper isolation, dependency management, and security best practices.