Vulnerability-Lookup

MAL-2026-2144

Vulnerability from ossf_malicious_packages

Published

2026-03-24 22:11

Modified

2026-03-24 22:11

Summary

Malicious code in litellm (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: google-open-source-security (6a89401cbf53902e8374fbf3b424a77bb5e5f8c437176232eab7c3237d10ecbe)

LiteLLM was compromised through trivy security scan in a GitHub workflow. Attackers uploaded malicious versions of LiteLLM to PyPI. The malicious code would exfiltrate sensitive secrets to an attcker controlled domain.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litellm"
      },
      "versions": [
        "1.82.7",
        "1.82.8"
      ]
    }
  ],
  "aliases": [
    "PYSEC-2026-2"
  ],
  "database_specific": {
    "iocs": {
      "domains": [
        "litellm.cloud"
      ],
      "urls": [
        "https://models.litellm.cloud/"
      ]
    },
    "malicious-packages-origins": [
      {
        "import_time": "2026-03-24T22:11:35.145201Z",
        "modified_time": "2026-03-24T22:11:32Z",
        "sha256": "6a89401cbf53902e8374fbf3b424a77bb5e5f8c437176232eab7c3237d10ecbe",
        "source": "google-open-source-security",
        "versions": [
          "1.82.7",
          "1.82.8"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (6a89401cbf53902e8374fbf3b424a77bb5e5f8c437176232eab7c3237d10ecbe)\nLiteLLM was compromised through trivy security scan in a GitHub workflow.\nAttackers uploaded malicious versions of LiteLLM to PyPI. The malicious\ncode would exfiltrate sensitive secrets to an attcker controlled domain.\n",
  "id": "MAL-2026-2144",
  "modified": "2026-03-24T22:11:32Z",
  "published": "2026-03-24T22:11:32Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/BerriAI/litellm/issues/24518"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/BerriAI/litellm/issues/24512"
    },
    {
      "type": "DISCUSSION",
      "url": "https://news.ycombinator.com/item?id=47501729"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign"
    },
    {
      "type": "ARTICLE",
      "url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in litellm (PyPI)"
}

PYSEC-2026-2

Vulnerability from pysec - Published: - Updated: 2026-03-24 15:35

Details

After an API Token exposure from an exploited Trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API.

The malicious code runs during importing any module from the package and scans the file system and environment variables, collecting all kinds of sensitive data, including but not limited to private SSH keys, credentials to Git and Docker repositories, dotenv files, tokens to Kubernetes service accounts, databases and LDAP configuration. Also exfiltrated are multiple shell history files and cryptowallet keys. The malware actively attempts to obtain cloud access tokens from metadata servers and retrieve secrets stored in AWS Secrets Manager. All collected data are sent to the domain models.litellm[.]cloud

Furthermore, the code includes a persistence mechanism by configuring a SystemD service unit masqueraded as "System Telemetry Service" on the host it runs on, and in a Kubernetes environment also by creating a new pod. The persistence script then contacts hxxps://checkmarx[.]zone/raw for further instructions.

Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate them accordingly. The affected environment should be isolated and carefully reviewed against any unexpected modifications and network traffic.

Impacted products

Name	purl
litellm	pkg:pypi/litellm

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litellm",
        "purl": "pkg:pypi/litellm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82.7"
            },
            {
              "last_affected": "1.82.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.82.7",
        "1.82.8"
      ]
    }
  ],
  "credits": [
    {
      "name": "Callum McMahon, Futuresearch",
      "type": "REPORTER"
    },
    {
      "name": "Mike Fiedler",
      "type": "COORDINATOR"
    },
    {
      "name": "Kamil Ma\u0144kowski",
      "type": "ANALYST"
    }
  ],
  "details": "After an API Token exposure from an exploited Trivy dependency,\ntwo new releases of `litellm` were uploaded to PyPI containing automatically activated malware,\nharvesting sensitive credentials and files, and exfiltrating to a remote API.\n\nThe malicious code runs during importing any module from the package and scans\nthe file system and environment variables, collecting all kinds of\nsensitive data, including but not limited to private SSH keys, credentials to Git and\nDocker repositories, dotenv files, tokens to Kubernetes service accounts,\ndatabases and LDAP configuration. Also exfiltrated are multiple shell history\nfiles and cryptowallet keys. The malware actively attempts to obtain cloud access tokens\nfrom metadata servers and retrieve secrets stored in AWS Secrets Manager.\nAll collected data are sent to the domain models.litellm[.]cloud\n\nFurthermore, the code includes a persistence mechanism by configuring\na SystemD service unit masqueraded as \"System Telemetry Service\" on the host it\nruns on, and in a Kubernetes environment also by creating a new pod.\nThe persistence script then contacts hxxps://checkmarx[.]zone/raw for\nfurther instructions.\n\nAnyone who has installed and run the project should assume\nany credentials available to litellm environment may have been exposed,\nand revoke/rotate them accordingly. The affected environment should be\nisolated and carefully reviewed against any unexpected modifications \nand network traffic.\n",
  "id": "PYSEC-2026-2",
  "modified": "2026-03-24T15:35:32Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
    },
    {
      "type": "EVIDENCE",
      "url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/BerriAI/litellm/issues/24518"
    },
    {
      "type": "ARTICLE",
      "url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
    },
    {
      "type": "ARTICLE",
      "url": "https://docs.litellm.ai/blog/security-update-march-2026"
    }
  ],
  "summary": "Two litellm versions published containing credential harvesting malware"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted