Column
Best Practices

The LiteLLM Supply Chain Attack: What Happened and Why It Matters

April 1, 2026
2
min read

On March 24, 2026, LiteLLM, a Python package with over 95 million monthly downloads used by AI teams to route calls across LLM providers — was compromised in a supply chain attack. A threat actor group known as TeamPCP gained access to the LiteLLM maintainer's PyPI publishing credentials and pushed malicious versions (1.82.7 and 1.82.8) to the package index.

The Attack

The payload was subtle: a .pth file, a little-known Python mechanism that auto-executes code every time the interpreter starts. If you installed either compromised version, malicious code ran silently — no explicit import needed. The compromised versions were live for less than five hours, within a window of roughly 0800–1244 UTC, but given LiteLLM's install volume, the blast radius was significant.

Critically, the source code on GitHub was never modified. The attack existed only in the distributed PyPI artifact, making it invisible to anyone reviewing the repo.

Why LLM Gateways Are High-Value Targets

LiteLLM isn't just another Python package. As an LLM gateway library, it holds API keys for every provider it routes to LLM providers like OpenAI, Anthropic, Google, and more. Compromising it means potentially exfiltrating credentials for an organization's entire AI stack in one shot.

The Response

Many startups and enterprises using LiteLLM scrambled to assess exposure. 

At Arthur, our CTO published open-source detection scripts that scan GitHub Actions runners, GitLab CI/CD pipelines, and local filesystems for the affected versions. You can check the script on GitHub here.

Mozilla.ai published hardening guidance recommending teams pin exact versions with hash verification, audit .pth files in their environments, adopt PyPI trusted publishers, and compare distributed artifacts against source before deploying. You can check their hardening guidance here.

The Takeaway

This incident is a wake-up call for AI teams that treat pip install as safe by default. Your LLM gateway is your blast radius — treat its supply chain with the same rigor you'd give your database credentials.