Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials

Security Alert: Litellm Package Compromise
The litellm Python package, which has approximately 97 million downloads per month and is used to unify API calls to OpenAI, Anthropic, Cohere, and other LLM providers, was compromised on PyPI. A malicious version (1.82.8) was uploaded that exfiltrated sensitive data from affected systems.
What Happened
For approximately one hour, running pip install litellm or installing any package that depends on it (such as DSPy) would trigger data exfiltration. The malicious version collected:
- SSH keys
- AWS, GCP, and Azure credentials
- Kubernetes configuration files
- Git credentials and shell history
- All environment variables (including API keys and secrets)
- Crypto wallet information
- SSL private keys
- CI/CD secrets
The attack was discovered when a user's machine crashed. Andrej Karpathy described it as "the scariest thing imaginable in modern software."
Immediate Action Required
If you installed any Python packages yesterday (especially DSPy or any litellm-dependent tool), assume your credentials are compromised. You should:
- Rotate all potentially affected credentials immediately
- Check your package versions for litellm 1.82.8
- Review the full breakdown in the source for specific remediation steps
The malicious version has been removed from PyPI, but credentials may already have been stolen during the hour the package was active.
📖 Read the full source: r/LocalLLaMA
👀 See Also

Testing Uncensored Qwen 3.5 35B Models for Cybersecurity Questions
A cybersecurity professional tested three uncensored Qwen 3.5 35B models on hacking and security bypass questions, finding significant differences in response quality compared to the original censored model. The uncensored models consistently provided answers where the original model refused or gave incomplete responses.

mcp-scan: Security scanner for MCP server configurations
mcp-scan checks MCP server configurations for security issues including secrets in config files, known vulnerabilities in packages, suspicious permission patterns, exfiltration vectors, and tool poisoning attacks. It auto-detects configs for Claude Desktop, Cursor, VS Code, Windsurf, and 6 other AI clients.

Practical Security Practices for OpenClaw Agents
A Reddit post outlines specific security practices for OpenClaw users, including scheduled commands for updates and audits, managing agent access in shared channels, and securing API keys and skills.

Agent Isolation Security Analysis: From No Sandbox to Firecracker VMs
Analysis of how Cursor, Claude Code, Devin, OpenAI, and E2B isolate agent workloads, ranging from no sandbox to hardware-isolated Firecracker microVMs. Container runtimes have had escape CVEs annually since 2019, while Firecracker has zero guest-to-host escapes in seven years.