A single pip install exfiltrates all your keys: Karpathy calls LiteLLM poisoning "the scariest thing in software".

According to 1M AI News monitoring, OpenAI founding member Andrej Karpathy posted that the AI agent development tool LiteLLM's supply chain attack is "essentially the scariest thing in modern software." LiteLLM had a monthly download volume of 97 million times, and the poisoned versions v1.82.7 and v1.82.8 have been removed from PyPI.

Just a simple 'pip install litellm' command is enough to steal SSH keys, AWS/GCP/Azure credentials, Kubernetes configurations, Git credentials, environment variables (including all API keys), shell history, encrypted wallets, SSL private keys, CI/CD keys, and database passwords from the host machine. The malicious code packs the data with 4096-bit RSA encryption and exfiltrates it to a disguised domain `models.litellm.cloud`, while also attempting to create a privileged container implanting a persistent backdoor in the `kube-system` namespace of Kubernetes clusters.

Even more dangerously, the infectivity is high: any project depending on LiteLLM is also compromised. For example, running `pip install dspy` (which depends on litellm>=1.64.0) will trigger the malicious code. The tainted versions survived on PyPI for only about an hour before being discovered, ironically due to a bug in the attacker's own code causing a memory exhaustion crash. Developer Callum McMahon encountered the attack when using an MCP plugin in the AI programming tool Cursor, which indirectly pulled in LiteLLM as a dependency. Upon installation, the host machine crashed, exposing the attack. Karpathy commented, "If the attacker didn't vibe code this attack, it might have gone unnoticed for days or even weeks."

The hacking group TeamPCP exploited a misconfiguration in LiteLLM's CI/CD pipeline with the Trivy vulnerability scanner in GitHub Actions at the end of February, stealing the PyPI deployment token and bypassing GitHub to upload the malicious version directly to PyPI. The CEO of LiteLLM's maintenance team, Berri AI, Krrish Dholakia, stated that all deployment tokens have been revoked, and they plan to transition to a JWT-based trusted release mechanism. PyPA issued a security advisory PYSEC-2026-2, advising all users who have installed the affected versions to assume all credentials in their environment have been compromised and to rotate them immediately.