According to 1M AI News monitoring, OpenAI founding member Andrej Karpathy posted that the supply chain attack on AI agent development tool LiteLLM is “one of the most terrifying things in modern software.” LiteLLM has 97 million downloads per month, and the infected versions v1.82.7 and v1.82.8 have been removed from PyPI.
Just one command, pip install litellm, is enough to steal SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes configurations, git credentials, environment variables (including all API keys), shell history, encrypted wallets, SSL private keys, CI/CD secrets, and database passwords. Malicious code encrypts data with 4096-bit RSA and transmits it to a disguised domain, models.litellm.cloud, and also attempts to create privileged containers in the kube-system namespace of Kubernetes clusters to implant persistent backdoors.
Even more dangerous is its contagious nature: any project depending on LiteLLM can also be compromised. For example, pip install dspy (which depends on litellm>=1.64.0) will also trigger malicious code. The infected versions only survived about an hour on PyPI before being discovered, ironically because the attacker’s malicious code had a bug that caused memory exhaustion and crashes. Developer Callum McMahon encountered this when using the MCP plugin in the AI programming tool Cursor; LiteLLM was pulled in as a transitive dependency, and after installation, the machine crashed immediately, exposing the attack. Karpathy commented, “If the attacker didn’t vibe code this time, it might go unnoticed for days or even weeks.”
The threat group TeamPCP exploited a configuration flaw in LiteLLM’s CI/CD pipeline using Trivy vulnerability scanner in GitHub Actions at the end of February, stealing PyPI publishing tokens, then bypassing GitHub to upload malicious versions directly to PyPI. Berri AI CEO Krrish Dholakia, the maintainer of LiteLLM, stated that all publishing tokens have been revoked and plans to shift to a JWT-based trusted release mechanism. PyPA issued security advisory PYSEC-2026-2, recommending all users who installed affected versions assume their environment credentials have been compromised and should rotate them immediately.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Bitcoin rebounds to $76k, with Trump extending the Iran ceasefire to ease geopolitical pressure temporarily
U.S. President Trump announced on April 22 that the ceasefire deadline with Iran would be extended. At the request of Pakistan’s Army Chief of Staff and Prime Minister, the U.S. will wait for Iran to submit a unified proposal before moving forward, while continuing to maintain the naval blockade and keeping its forces on standby. Iran refused to attend the next round of negotiations originally scheduled to take place in Islamabad, and the Strait of Hormuz has closed again. Bitcoin rebounded to $76,000, and analyst DonAlt views this as a key early warning level that determines the direction of the market outlook going forward.
MarketWhisper12m ago
Lebanon's Parliament Speaker Calls for Israeli Military Unconditional Withdrawal from Southern Territory
Gate News message, April 22 — Lebanon's Parliament Speaker Nabih Berri called on April 21 for Israeli forces to withdraw unconditionally from occupied Lebanese territory in the south. Speaking in an interview, Berri stated that as long as Israeli military maintains its occupation of southern Lebanon
GateNews36m ago
The Iran-U.S. talks did not take place as expected, stocks in the U.S. fell, and Bitcoin traded in a range.
U.S.-Iran talks did not go as expected, and the stock market fell; Vance postponed his visit to Pakistan, and the Strait of Hormuz blockade will continue. U.S. March retail sales rose 1.7%, beating expectations. Waller was nominated as the next Chair of the Federal Reserve, emphasizing independence; market expectations are broadly neutral. Bitcoin is still consolidating in the 74k–77k range, spot ETFs have recorded net inflows for five straight days, and ETH ETFs have also seen net inflows day after day. Sentiment is stabilizing, and the volatility spread indicates that risk appetite is declining.
ChainNewsAbmedia1h ago
Iran Agrees to Military Combat Pause but War Continues, Says State Television
Gate News message, April 21 — In response to President Trump's statement on extending a ceasefire period, Iran's state television declared on the morning of April 22 that Iran has emerged as the victor on the battlefield. The state broadcaster emphasized that control of the Strait of Hormuz represen
GateNews2h ago
Iran Says Military Clashes Suspended But War Continues, Cites Strait of Hormuz Control as Key Leverage
Gate News message, April 21 — Iran's state television declared early on April 22 that Iran has become the victor on the battlefield in response to Trump's statement on extending the ceasefire period. The country cited control of the Strait of Hormuz as an extremely valuable bargaining chip gained in
GateNews2h ago
Bipartisan PACE Act Proposes Opening Federal Reserve Payment Networks to Non-Banks
Gate News message, April 21 — The PACE Act, introduced by bipartisan U.S. lawmakers, aims to allow compliant non-bank payment institutions direct access to the Federal Reserve's payment systems, garnering support from the crypto industry.
The legislation would establish a federal framework
GateNews3h ago
