Hackers planted crypto wallet-stealing malware inside LiteLLM, one of the most widely used AI developer tools, in a supply chain attack that silently harvested private keys, cloud credentials, and sensitive data from anyone who installed the compromised versions.
LiteLLM is an open-source library that routes requests across more than 100 large language model providers. It serves as critical infrastructure for thousands of AI applications and processes roughly 97 million monthly downloads on PyPI, Python's official package repository.
The attack landed during a period of heightened unease across crypto markets, with the Fear & Greed Index sitting at 13, deep in "Extreme Fear" territory. For developers running AI-powered trading bots, wallet managers, or DeFi tools built on LiteLLM, the breach introduced a direct threat to their crypto holdings.
How Hackers Embedded the Malicious Code
A threat actor group tracked as TeamPCP compromised LiteLLM versions 1.82.7 and 1.82.8, uploading the poisoned packages to PyPI on March 24, 2026 between 10:39 and 16:00 UTC. Both versions have since been removed.
The attackers did not hack LiteLLM's codebase directly. Instead, they exploited a compromised Trivy GitHub Action, a popular security scanner used in LiteLLM's own CI/CD pipeline, to steal PyPI publishing credentials. With those credentials in hand, TeamPCP bypassed official build workflows and uploaded the malicious packages directly to PyPI.
The irony is sharp: a security scanner designed to protect software supply chains became the entry point that compromised one. This parallels the growing sophistication of attacks targeting crypto infrastructure, similar to the Web3 security threats that have cost the industry billions in recent years.
The LiteLLM compromise was not an isolated incident. It was the third stage of an ongoing campaign: Trivy (March 19), then 44+ npm packages including Aqua Security's GitHub repositories (March 20-22), then Checkmarx KICS (March 23), then LiteLLM (March 24), and Telnyx on March 27, showing the campaign remains active today.
What the Wallet-Stealing Code Actually Does
The malicious code planted a file called litellm_init.pth in the Python installation directory. This file executed automatically on every Python startup, not just when LiteLLM was imported, meaning any Python process on an infected machine triggered the data theft.
The malware harvested an extensive list of sensitive data: SSH keys, AWS/GCP/Azure credentials, Kubernetes tokens, git credentials, environment variables containing API keys, shell history, crypto wallet files, SSL private keys, CI/CD secrets, and database passwords.
For crypto holders, the wallet file exfiltration is the most critical threat. The malware targeted local wallet keystores and configuration files. If a developer stored hot wallet keys, seed-related data, or private keys anywhere on the compromised machine, those are now presumed exposed. Unlike a compromised exchange password, stolen private keys cannot be rotated, and any funds in affected wallets should be considered permanently at risk.
All exfiltrated data was encrypted with AES-256 and RSA-4096 before being sent via POST request to a fraudulent domain, models.litellm.cloud, designed to look like legitimate LiteLLM infrastructure. The encryption made it harder for network monitoring tools to flag the outbound traffic as suspicious.
OpenAI co-founder Andrej Karpathy called it "software horror" in a widely shared warning to developers:
Software horror: litellm PyPI supply chain attack.
— Andrej Karpathy (@karpathy) March 24, 2026
Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database… https://t.co/aKjZJcECFq
Source: @karpathy on X
The transitive dependency risk amplifies the blast radius. Projects like DSPy, which depend on litellm>=1.64.0, could have pulled in the poisoned version automatically. Any AI application using LiteLLM as a sub-dependency was exposed even without directly installing it, a reality that makes protecting your wallet from evolving crypto scams increasingly complex when threats arrive through developer toolchains.
According to unconfirmed reports, the attack was first discovered when a developer using an MCP plugin inside Cursor experienced a machine crash due to RAM exhaustion when LiteLLM 1.82.8 installed. This initial discovery mechanism has not been confirmed in the official LiteLLM advisory.
How to Check If You Are Affected and What to Do Now
LiteLLM has engaged Google's Mandiant team for forensic analysis and paused all new releases pending a full supply chain review. Users running the official LiteLLM Proxy Docker image (ghcr.io/berriai/litellm) were not affected.
If you installed LiteLLM via pip between March 24 10:39 UTC and 16:00 UTC, take these steps immediately:
- Check your installed version: Run
pip show litellm. If it shows 1.82.7 or 1.82.8, you are affected. - Downgrade immediately: Run
pip install litellm==1.82.6to revert to the last safe version. - Scan for the payload: Search your Python installation for
litellm_init.pth. If found, delete it and treat the machine as fully compromised. - Move crypto funds now: If you had any wallet files, private keys, or seed-related data on the affected machine, transfer all funds to a new wallet generated on a clean device. Do not reuse any keys from the compromised system.
- Rotate all credentials: This includes AWS/GCP/Azure keys, SSH keys, database passwords, API tokens, and any secrets stored in environment variables or shell history.
- Audit CI/CD pipelines: If the compromised machine had access to deployment systems, review recent builds and deployments for unauthorized changes.
Hardware wallets provide meaningful protection against this specific attack vector. Since hardware wallets sign transactions on the device itself and never expose private keys to the host machine, funds stored exclusively on hardware wallets were not directly at risk. Any hot wallet secrets on the same machine, however, remain compromised.
The expanding scope of crypto payment infrastructure makes supply chain security increasingly critical. With TeamPCP's campaign still active and now targeting Telnyx as of today, developers working across crypto and AI should audit their dependency trees and pin package versions rather than accepting automatic upgrades. As large holders continue repositioning across crypto markets, the intersection of AI tooling and digital asset security demands closer attention from the entire ecosystem.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.