Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials

✍️ OpenClawRadar📅 Published: March 25, 2026🔗 Source
Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials
Ad

Security Alert: Litellm Package Compromise

The litellm Python package, which has approximately 97 million downloads per month and is used to unify API calls to OpenAI, Anthropic, Cohere, and other LLM providers, was compromised on PyPI. A malicious version (1.82.8) was uploaded that exfiltrated sensitive data from affected systems.

What Happened

For approximately one hour, running pip install litellm or installing any package that depends on it (such as DSPy) would trigger data exfiltration. The malicious version collected:

  • SSH keys
  • AWS, GCP, and Azure credentials
  • Kubernetes configuration files
  • Git credentials and shell history
  • All environment variables (including API keys and secrets)
  • Crypto wallet information
  • SSL private keys
  • CI/CD secrets

The attack was discovered when a user's machine crashed. Andrej Karpathy described it as "the scariest thing imaginable in modern software."

Ad

Immediate Action Required

If you installed any Python packages yesterday (especially DSPy or any litellm-dependent tool), assume your credentials are compromised. You should:

  • Rotate all potentially affected credentials immediately
  • Check your package versions for litellm 1.82.8
  • Review the full breakdown in the source for specific remediation steps

The malicious version has been removed from PyPI, but credentials may already have been stolen during the hour the package was active.

📖 Read the full source: r/LocalLLaMA

Ad

👀 See Also

Testing Uncensored Qwen 3.5 35B Models for Cybersecurity Questions
Security

Testing Uncensored Qwen 3.5 35B Models for Cybersecurity Questions

A cybersecurity professional tested three uncensored Qwen 3.5 35B models on hacking and security bypass questions, finding significant differences in response quality compared to the original censored model. The uncensored models consistently provided answers where the original model refused or gave incomplete responses.

OpenClawRadar
mcp-scan: Security scanner for MCP server configurations
Security

mcp-scan: Security scanner for MCP server configurations

mcp-scan checks MCP server configurations for security issues including secrets in config files, known vulnerabilities in packages, suspicious permission patterns, exfiltration vectors, and tool poisoning attacks. It auto-detects configs for Claude Desktop, Cursor, VS Code, Windsurf, and 6 other AI clients.

OpenClawRadar
Practical Security Practices for OpenClaw Agents
Security

Practical Security Practices for OpenClaw Agents

A Reddit post outlines specific security practices for OpenClaw users, including scheduled commands for updates and audits, managing agent access in shared channels, and securing API keys and skills.

OpenClawRadar
Agent Isolation Security Analysis: From No Sandbox to Firecracker VMs
Security

Agent Isolation Security Analysis: From No Sandbox to Firecracker VMs

Analysis of how Cursor, Claude Code, Devin, OpenAI, and E2B isolate agent workloads, ranging from no sandbox to hardware-isolated Firecracker microVMs. Container runtimes have had escape CVEs annually since 2019, while Firecracker has zero guest-to-host escapes in seven years.

OpenClawRadar