Voices
Simon Willison (March 24): LiteLLM v1.82.8 Compromised by TeamPCP — Credential Stealer in 97M-Download AI Package
Willison flagged a supply chain attack on LiteLLM, the popular AI model proxy with 97M monthly PyPI downloads: versions 1.82.7 and 1.82.8 contained a malicious .pth file that executed automatically on any Python process startup without an import statement. The credential stealer harvested SSH keys, AWS/GCP/Azure creds, Kubernetes configs, crypto wallets, and browser history, encrypting and exfiltrating to a lookalike domain. Willison traced the attack chain — TeamPCP first compromised Trivy (a security scanner LiteLLM used in CI/CD), then used stolen credentials to publish the poisoned packages directly to PyPI.
↳ Follow the thread