The Anatomy of the LiteLLM Supply Chain Attack: A Catastrophic Compromise in the AI Ecosystem via "Vibe Coding"

The Anatomy of the LiteLLM Supply Chain Attack: A Catastrophic Compromise in the AI Ecosystem via "Vibe Coding"

The Keys to the AI Kingdom

On March 24, 2026, the artificial intelligence developer ecosystem experienced an unprecedented software supply chain attack. The target was litellm, an immensely popular Python package with 97 million monthly downloads that serves as a universal adapter connecting applications to over 100 LLM APIs from providers like OpenAI, Anthropic, and Google.

The attacker, a financially motivated threat group known as TeamPCP (also tracked as PCPcat, Persy_PCP, ShellForce, and DeadCatx3), managed to publish two malicious versions (1.82.7 and 1.82.8) directly to the Python Package Index (PyPI). Over a critical 46-minute window, these compromised versions were downloaded 46,996 times before being quarantined. As product growth writer Aakash Gupta noted, the attackers brilliantly "picked the one package whose entire job is holding every AI credential in the organization in one place".

The Irony of the Attack Chain:

When Security Tools Become Weapons

The story of the LiteLLM compromise reads like an M. Night Shyamalan movie full of tragic twists. The vulnerability did not stem from sloppy coding in LiteLLM itself, but ironically, from the maintainers correctly using a security scanner.

The attack chain started weeks earlier when an AI-powered autonomous agent named "hackerbot-claw" (or "openclaw") targeted Aqua Security's trivy-action, a widely used open-source vulnerability scanner. The AI bot exploited a highly dangerous pull_request_target GitHub Actions workflow misconfiguration, allowing attackers to steal a privileged token. With this token, TeamPCP rewrote the immutable-looking Git tags for Trivy's v0.69.4 release to point to a malicious commit.

On March 24, when the LiteLLM CI/CD pipeline ran the poisoned Trivy scanner during their automated build process, the security tool executed the malware and exfiltrated LiteLLM's PYPI_PUBLISH token. Armed with this credential, TeamPCP bypassed standard GitHub release protocols and uploaded the malware directly to PyPI.

Two Delivery Mechanisms:

Source Injection and the Dreaded .pth Hook

The attackers deployed two distinct versions with different injection techniques:

Version 1.82.7 (10:39 UTC): The payload was double base64-encoded (a technique YouTubers jokingly referred to as "double based") and embedded directly inside proxy_server.py. It exfiltrated data to checkmarx[.]zone/raw, a typosquat of a legitimate security vendor compromised in a parallel attack.

Version 1.82.8 (10:52 UTC): This escalated the attack using a 34,628-byte file named litellm_init.pth dropped into the site-packages/ directory. The .pth mechanism fires on every Python interpreter startup with no import required. Because the malicious file was correctly declared in the wheel's RECORD file, it perfectly bypassed pip hash verification checks.

The Three-Stage Payload:

Catching Credentials "Like Pokémon"

Once triggered, the malware executed a sophisticated three-stage operation. In Stage 1, it treated system secrets "like Pokémon," attempting to aggressively catch them all. The script harvested SSH private keys, .env files, Git credentials, Slack/Discord webhooks, CI/CD configs (Terraform, GitLab, Jenkins), and database passwords. It targeted cloud environments specifically, reading ~/.aws/credentials, querying AWS IMDS endpoints, and making live API calls to AWS Secrets Manager and Kubernetes clusters. It even swept the system for cryptocurrency wallets, targeting Bitcoin, Litecoin, Ethereum, Solana, Cardano, and Monero.

In Stage 2, the exfiltration was highly secured. The malware generated a random 32-byte AES-256 session key to encrypt the stolen data (PBKDF2 key derivation). This session key was then encrypted using a hardcoded 4096-bit RSA public key embedded in the payload. Bundled into an archive named tpcp.tar.gz, the data was exfiltrated to models.litellm.cloud (registered just one day prior).

Stage 3 established lateral movement and persistence. The malware dropped a backdoor Python script at ~/.config/sysmon/sysmon.py and created a systemd service called "System Telemetry Service". On Kubernetes clusters, it used stolen service account tokens to read secrets across all namespaces and deployed privileged alpine:latest pods named node-setup-{node_name} to install the backdoor directly onto the underlying host machines. To mock security researchers analyzing the malware in sandboxes, the C2 server was configured to return a link to an English remastering of the song "Bad Apple!!".

"Vibe Coding" and the Accidental Fork Bomb

Despite its sophistication, the stealthy attack was uncovered within an hour due to a sloppy implementation bug. Callum McMahon, a researcher at FutureSearch, was testing an MCP plugin inside the Cursor IDE. Because Cursor used uvx to launch the MCP server, it automatically pulled in litellm as an unpinned transitive dependency.

When the .pth file triggered upon installation, it used subprocess.Popen to spawn a child Python process. However, because .pth files trigger on every Python startup, the child process repeatedly re-triggered the payload, accidentally creating an exponential fork bomb that spawned 11,000 processes and exhausted the RAM on McMahon's 48GB Mac.

Using Claude Code, McMahon decoded the base64 string (import subprocess\nimport tempfile) and discovered the rogue package. Prominent AI scientist Andrej Karpathy pointed out the extreme irony of this accidental discovery. In his analysis, Karpathy emphasized: "So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks". The malware's own poor quality is exactly what made it visible.

The GitHub Cover-Up and the Compliance Tragicomedy

When McMahon reported the malware on the BerriAI/litellm GitHub repository (Issue #24512), TeamPCP actively suppressed the disclosure. Using the fully compromised account of LiteLLM maintainer Krrish Dholakia, the attackers abruptly closed the critical security issue as "not planned". Simultaneously, they deployed a botnet to flood the thread with 88 fake, AI-generated replies (e.g., "great explanation thanks for sharing") in just 102 seconds to confuse investigators. The attackers even used the compromised maintainer account to subtly change Calendly meeting invite links to fake ones.

Adding a final layer of dark comedy to the incident, users discovered that LiteLLM advertised its security through a compliance company named Delve, promising "AI native compliance". Ironically, Delve itself was simultaneously facing accusations of misleading customers with fake SOC 2 compliance reports, perfectly encapsulating the chaotic state of modern software security.

"Software Horror" and the "Yoink" Philosophy

The blast radius of this 46 minute window was catastrophic. Because the contagion spreads transitively, major AI frameworks like DSPy, MLflow, OpenHands, and CrewAI automatically pulled the malware as an indirect dependency. TeamPCP claims to have stolen 300GB of compressed credentials from over 500,000 systems and is actively extorting multi-billion dollar companies like Stripe, Netflix, and Google.

Andrej Karpathy labeled the incident an absolute "software horror". Emphasizing the absurdity of the situation, he stated: "Simple pip install litellm was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords".

He warned of the massive contagion effect, explaining that "if you did pip install dspy (which depended on litellm>=1.64.0), you'd also be pwnd". Karpathy summarized the ultimate lesson of the breach: "Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any dependency you could be pulling in a poisoned package anywhere deep inside its entire dependency tree."

Classical software engineering treats dependencies as inherently good a mindset Karpathy described as believing "we're building pyramids from bricks." However, he warns this philosophy must be re evaluated. Instead of relying on massive, opaque dependency trees, developers should use LLMs to "yoink" (extract and copy) only the specific code fragments they need directly into their codebases when it is simple enough and possible.

Security experts advise that anyone who installed or indirectly pulled litellm versions 1.82.7 or 1.82.8 must assume total system compromise. Remediation requires a complete rotation of all SSH keys, cloud tokens, database passwords, and API keys, along with purging package manager caches and thoroughly auditing Kubernetes environments for persistent backdoors. Ultimately, this incident serves as a historical warning that even the most trusted security tools and AI wrappers can become the very vectors that destroy an organization's infrastructure.