 | If you haven't heard, two versions of LiteLLM got hacked yesterday (1.82.7 and 1.82.8) That means tons of AI agent projects got compromised if they installed during those 3 hours Live on PyPI for 3 hours. Downloaded 3.4 million times per day. Stole SSH keys, credentials, secrets, API keys and crypto wallet seed phrases. How it happened: Attackers compromised Trivy (a security scanner) first. When LiteLLM's CI ran Trivy, it leaked their PyPI token. With that token, they published the poisoned versions. Worst part: version 1.82.8 used a .pth file. The malicious code ran every time Python started. Even when you just ran pip. There's a few articles popping up about this (and posts here on reddit). Quite a huge deal, as MANY agent toolkits (even one I'm making in a personal project) use LiteLLM behind the scenes. If you installed either version:
Safe version: anything ≤ 1.82.6 [link] [comments] |
In hindsight: a bad choice of a hero message
Reddit r/LocalLLaMA / 3/25/2026
📰 NewsDeveloper Stack & InfrastructureSignals & Early TrendsTools & Practical Usage
Key Points
- LiteLLM versions 1.82.7 and 1.82.8 were compromised for a three-hour window on PyPI, with downloads reaching millions per day, potentially affecting many AI agent projects.
- The attacker chain involved compromising the Trivy security scanner first, then using the leaked PyPI token to publish poisoned LiteLLM packages.
- Version 1.82.8 contained a malicious .pth payload that executes on Python startup, meaning the backdoor could run even during routine pip usage.
- The report recommends immediate incident steps for affected users, including checking for backdoors at a specific local path, rotating all credentials, and hunting for suspicious Kubernetes pods.
- The safe remediation is to downgrade to any LiteLLM version ≤ 1.82.6 and treat installed 1.82.7/1.82.8 as potentially fully compromised.
