PYSEC-2026-2

Vulnerability from pysec - Published: - Updated: 2026-03-24 15:35
VLAI?
Details

After an API Token exposure from an exploited Trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API.

The malicious code runs during importing any module from the package and scans the file system and environment variables, collecting all kinds of sensitive data, including but not limited to private SSH keys, credentials to Git and Docker repositories, dotenv files, tokens to Kubernetes service accounts, databases and LDAP configuration. Also exfiltrated are multiple shell history files and cryptowallet keys. The malware actively attempts to obtain cloud access tokens from metadata servers and retrieve secrets stored in AWS Secrets Manager. All collected data are sent to the domain models.litellm[.]cloud

Furthermore, the code includes a persistence mechanism by configuring a SystemD service unit masqueraded as "System Telemetry Service" on the host it runs on, and in a Kubernetes environment also by creating a new pod. The persistence script then contacts hxxps://checkmarx[.]zone/raw for further instructions.

Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate them accordingly. The affected environment should be isolated and carefully reviewed against any unexpected modifications and network traffic.

Impacted products
Name purl
litellm pkg:pypi/litellm
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litellm",
        "purl": "pkg:pypi/litellm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.82.7"
            },
            {
              "last_affected": "1.82.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.82.7",
        "1.82.8"
      ]
    }
  ],
  "credits": [
    {
      "name": "Callum McMahon, Futuresearch",
      "type": "REPORTER"
    },
    {
      "name": "Mike Fiedler",
      "type": "COORDINATOR"
    },
    {
      "name": "Kamil Ma\u0144kowski",
      "type": "ANALYST"
    }
  ],
  "details": "After an API Token exposure from an exploited Trivy dependency,\ntwo new releases of `litellm` were uploaded to PyPI containing automatically activated malware,\nharvesting sensitive credentials and files, and exfiltrating to a remote API.\n\nThe malicious code runs during importing any module from the package and scans\nthe file system and environment variables, collecting all kinds of\nsensitive data, including but not limited to private SSH keys, credentials to Git and\nDocker repositories, dotenv files, tokens to Kubernetes service accounts,\ndatabases and LDAP configuration. Also exfiltrated are multiple shell history\nfiles and cryptowallet keys. The malware actively attempts to obtain cloud access tokens\nfrom metadata servers and retrieve secrets stored in AWS Secrets Manager.\nAll collected data are sent to the domain models.litellm[.]cloud\n\nFurthermore, the code includes a persistence mechanism by configuring\na SystemD service unit masqueraded as \"System Telemetry Service\" on the host it\nruns on, and in a Kubernetes environment also by creating a new pod.\nThe persistence script then contacts hxxps://checkmarx[.]zone/raw for\nfurther instructions.\n\nAnyone who has installed and run the project should assume\nany credentials available to litellm environment may have been exposed,\nand revoke/rotate them accordingly. The affected environment should be\nisolated and carefully reviewed against any unexpected modifications \nand network traffic.\n",
  "id": "PYSEC-2026-2",
  "modified": "2026-03-24T15:35:32Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
    },
    {
      "type": "EVIDENCE",
      "url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/BerriAI/litellm/issues/24518"
    },
    {
      "type": "ARTICLE",
      "url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
    },
    {
      "type": "ARTICLE",
      "url": "https://docs.litellm.ai/blog/security-update-march-2026"
    }
  ],
  "summary": "Two litellm versions published containing credential harvesting malware"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.