What It Is
LiteLLM is an open-source Python SDK and proxy server — marketed as an “AI Gateway” — that allows software developers to call more than 100 large language model APIs (OpenAI, Anthropic, Google Vertex AI, AWS Bedrock, Azure, and others) through a single, standardised interface. Rather than writing separate integration code for each AI provider, a developer who has embedded LiteLLM can switch between models by changing a single parameter. The library normalises API formats, tracks usage costs, handles load balancing, manages authentication keys, and can enforce guardrails — making it, in effect, the plumbing layer between an application and the commercial AI ecosystem.
The project was built by BerriAI, a Y Combinator Winter 2023 startup founded by Krrish Dholakia and Ishaan Jaffer. It first appeared on GitHub on 9 August 2023 and grew rapidly: by early 2026 it had approximately 41,900 GitHub stars, 6,900 forks, and was being downloaded around 3.4 million times per day from PyPI — the Python package repository. Enterprise adopters have included Stripe, Netflix, Adobe, and Samsara. Major open-source AI projects — DSPy, MLflow, OpenHands, CrewAI — depend on it directly.
This ubiquity makes LiteLLM what security researchers call a “choke point” in the AI dependency graph: it sits between applications and multiple AI service providers, holding privileged access to API keys, cloud credentials, and configuration data across entire organisations. That structural position is precisely what made it a high-value target.
Why It Matters for AI Governance and Narratives
The LiteLLM supply-chain attack is analytically significant beyond its immediate damage because it illustrates a structural tension that the AI industry has not yet resolved: the faster the industry builds shared infrastructure, the larger the blast radius when that infrastructure is compromised. The concentration risk is not incidental — it is a direct consequence of the standardisation that makes AI deployment efficient and accessible. LiteLLM’s estimated presence in 36% of cloud environments means that a single package compromise can cascade through thousands of corporate environments simultaneously, regardless of those organisations’ individual security postures.
For the observatory’s core analytical frame — tracking how AI is governed and understood — the incident opens several threads. First, no existing regulatory framework specifically addresses the security of AI gateway infrastructure; the EU AI Act’s provisions for high-risk systems and NIST’s AI Risk Management Framework are both silent on supply-chain risk at this layer. Second, the attack targeted the credential-harvesting opportunity created by AI deployment patterns: organisations that deploy LiteLLM necessarily concentrate API keys, cloud credentials, and proprietary model configurations in a single process. Third, and most structurally, the attack’s entry point was Trivy — an open-source security scanner whose compromise then propagated to LiteLLM. A tool designed to make CI/CD pipelines safer became the vector for poisoning them. The recursive irony here — security infrastructure as attack surface — is a pattern with precedents (XZ Utils, SolarWinds, 3CX) that the industry has still not structurally addressed.
Key Facts and Dates
On 24 March 2026, a threat-actor group tracked as TeamPCP published two malicious versions of the litellm package to PyPI (v1.82.7 and v1.82.8). The packages were live for approximately 40 minutes before PyPI quarantined them — but given LiteLLM’s download volume and its integration into automated CI/CD pipelines, over 40,000 malicious downloads were recorded in that window.
The attack did not begin with LiteLLM. Five days earlier, on 19 March, TeamPCP had compromised Aqua Security’s Trivy container-scanning tool by rewriting Git tags in the trivy-action GitHub Actions repository to point to a malicious release. LiteLLM’s build pipeline consumed Trivy via an unpinned dependency, allowing the attackers to exfiltrate BerriAI’s PyPI publishing credentials from GitHub Actions. The malicious packages embedded a three-stage payload: harvesting credentials and environment variables, encrypting and exfiltrating them to a lookalike domain (models.litellm[.]cloud), and installing a persistent backdoor — including, in Kubernetes environments, a privileged container named to resemble legitimate cluster infrastructure.
A bug in the malware — a recursive fork that caused extreme resource consumption — both limited its effectiveness and triggered its discovery, when researcher Callum McMahon noticed his system degrading under the load.
BerriAI’s response was prompt: it removed the packages, rotated credentials, engaged Google Mandiant for forensic analysis, and released a clean v1.83.0 from a rebuilt CI/CD pipeline. The AI recruiting startup Mercor was the first company to publicly confirm downstream impact, stating it was “one of thousands” affected. Extortion group Lapsus$ separately claimed to have stolen 4TB of Mercor data, including candidate profiles, video interviews, and source code — though Mercor did not independently confirm the scope of that claim. Mandiant’s assessment indicated knowledge of over 1,000 impacted SaaS environments dealing with cascading effects.
TeamPCP is also tracked as PCPcat, ShellForce, and DeadCatx3, and has been active since at least December 2025.
Where to Learn More
- LiteLLM Official Security Update (March 2026):
docs.litellm.ai/blog/security-update-march-2026— the primary disclosure from BerriAI, with indicators of compromise and remediation guidance. - Snyk analysis: Snyk’s technical breakdown, “How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM,” traces the full attack chain from Trivy through to PyPI.
- Sonatype blog: Sonatype’s “Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer” provides the payload architecture detail.
- GitHub — BerriAI/litellm:
github.com/BerriAI/litellm— the canonical repository, with the security advisory linked from the README.