2026-03
AI Supply Chain
LiteLLM / PyPI

Backdoored LiteLLM packages on PyPI harvested cloud keys from AI stacks

What happened

Attackers tracked as TeamPCP compromised a scanner tool and used it to steal LiteLLM's PyPI publishing tokens, then pushed two malicious releases of the widely used LLM gateway library. The payload harvested SSH keys, cloud credentials, Kubernetes tokens, and API keys, encrypted them, and beaconed to attacker infrastructure while installing a backdoor. Because LiteLLM brokers calls to 100+ providers, it sits atop credentials across agent frameworks, MCP servers, and CI pipelines.

Impact

Versions 1.82.7 and 1.82.8 were live on PyPI for roughly 40 minutes on 2026-03-24, exposing developer machines, CI/CD systems, and production inference infrastructure to credential theft.

How this could have been prevented

Scoped, short-lifetime publishing tokens plus trusted-publisher signing would have prevented a compromised CI dependency from pushing backdoored releases.

Sources

More ai supply chain incidents

Would runtime governance have caught this?

Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo