According to 1M AI News monitoring, OpenAI founding member Andrej Karpathy posted that the supply chain attack on AI agent development tool LiteLLM is “one of the most terrifying things in modern software.” LiteLLM has 97 million downloads per month, and the infected versions v1.82.7 and v1.82.8 have been removed from PyPI.
Just one command, pip install litellm, is enough to steal SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes configurations, git credentials, environment variables (including all API keys), shell history, encrypted wallets, SSL private keys, CI/CD secrets, and database passwords. Malicious code encrypts data with 4096-bit RSA and transmits it to a disguised domain, models.litellm.cloud, and also attempts to create privileged containers in the kube-system namespace of Kubernetes clusters to implant persistent backdoors.
Even more dangerous is its contagious nature: any project depending on LiteLLM can also be compromised. For example, pip install dspy (which depends on litellm>=1.64.0) will also trigger malicious code. The infected versions only survived about an hour on PyPI before being discovered, ironically because the attacker’s malicious code had a bug that caused memory exhaustion and crashes. Developer Callum McMahon encountered this when using the MCP plugin in the AI programming tool Cursor; LiteLLM was pulled in as a transitive dependency, and after installation, the machine crashed immediately, exposing the attack. Karpathy commented, “If the attacker didn’t vibe code this time, it might go unnoticed for days or even weeks.”
The threat group TeamPCP exploited a configuration flaw in LiteLLM’s CI/CD pipeline using Trivy vulnerability scanner in GitHub Actions at the end of February, stealing PyPI publishing tokens, then bypassing GitHub to upload malicious versions directly to PyPI. Berri AI CEO Krrish Dholakia, the maintainer of LiteLLM, stated that all publishing tokens have been revoked and plans to shift to a JWT-based trusted release mechanism. PyPA issued security advisory PYSEC-2026-2, recommending all users who installed affected versions assume their environment credentials have been compromised and should rotate them immediately.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
North Korea Terror Attack Verdict Holder Escalates Dispute for Control of $71 million in Aave Frozen Assets: Cites Anti-Terrorism Insurance Law
North Korea terror attack case escalates: $71 million in Aave frozen assets enter a third round. The plaintiffs now invoke the TRIA statute to claim that ETH is North Korea’s state property, stressing fraud rather than theft to get around the thief-not-possessor-of-stolen-goods defense, while also challenging Aave’s standing and governance status. DeFi United has raised more than $328 million, with sufficient funding to compensate affected users. The case could become a key precedent for DeFi legal principles and DAO governance.
ChainNewsAbmedia55m ago
Latest developments in the Iran–Israel conflict: The “Epic Rage” operation has concluded, and crypto market sentiment is improving
On May 6, the United States announced the end of Operation Epic Rage and the suspension of the Hormuz Freedom Plan. Bitcoin rebounded to $81,700, easing market sentiment.
GateInstantTrends5h ago
The U.S. confirms the end of Iran’s “Operation Epic Rage,” and Bitcoin rebounds to $81k
According to a statement made on May 6 by U.S. Secretary of State Marco Rubio, the U.S. “Epic Rage Operation” against Iran has officially ended, and the U.S. has achieved the operation’s stated objectives. On the same day, U.S. President Donald Trump publicly announced that the “Freedom Plan,” which is designed to divert vessel traffic through the Strait of Hormuz, will be suspended for a period of time. On that day, Bitcoin rebounded to around $81,000, reaching its highest level since late January 2026.
MarketWhisper6h ago
Citi Exec: Fragmented Crypto Systems Risk Banking Problems
Citi executive Ryan Rugg warned at Consensus in Miami that tokenized money efforts face significant limitations as corporate clients demand real-time payments that work seamlessly across banks. His remarks highlight concerns that fragmented cryptocurrency systems could repeat historical banking sect
CryptoFrontier10h ago
Trump Refuses to Confirm the Validity of the US-Iran Ceasefire Deal, BTC Hits a New High Since February This Year
Trump refuses to confirm the validity of the US-Iran ceasefire deal; Bitcoin breaks through $81,000 to hit a new high since February this year; Circle surged by more than 20% at one point. This article analyzes geopolitical risks, BTC technical resistance, and changes in capital structure.
GateInstantTrends17h ago
