AI Development11 min read

LiteLLM Supply Chain Attack: Protect Your AI Stack

A supply chain attack targeting LiteLLM exposed AI infrastructure at dozens of organizations. Incident breakdown, attack vectors, and mitigation actions.

Digital Applied Team

March 24, 2026

11 min read

97M

Monthly Downloads Affected

Mar 24

Attack Disclosure Date

AI Providers Targeted

TeamPCP

Threat Actor Campaign

Key Takeaways

The March 24 attack compromised 97M monthly LiteLLM downloads via TeamPCP: The TeamPCP campaign published malicious packages to PyPI that mimicked LiteLLM plugins. Organizations running LiteLLM in production were exposed to API key exfiltration and in some configurations full LLM request payload forwarding to attacker-controlled endpoints.

Rotate all AI provider API keys immediately if you use LiteLLM: Keys for OpenAI, Anthropic, Cohere, and any other provider stored in environment variables accessible to the LiteLLM process should be considered compromised until rotation is confirmed. The malicious package targeted environment variable exfiltration specifically.

Pin LiteLLM and all dependencies to verified commit hashes, not version ranges: Version range specifications like >=1.0.0 allow automatic installation of newer — potentially malicious — releases. Use exact pinning in requirements.txt or pyproject.toml and verify hashes against a known-good state before each deployment.

AI infrastructure requires supply chain security posture, not just application security: LLM proxies sit at a privileged position in the AI stack, routing all model traffic and holding credentials for multiple providers simultaneously. This makes them high-value supply chain targets. Standard application security practices are necessary but insufficient without explicit supply chain controls.

On March 24, 2026, security researchers disclosed a coordinated supply chain attack targeting LiteLLM, one of the most widely deployed open-source LLM proxy libraries in production AI infrastructure. The attack, attributed to the TeamPCP campaign, exploited the trust developers place in PyPI packages to deliver malicious code that exfiltrated API keys and intercepted model traffic. With 97 million monthly downloads, LiteLLM's reach meant the blast radius was substantial.

This is not a hypothetical supply chain risk. It is a confirmed incident with documented attack vectors, known exfiltrated data types, and organizations that need to take immediate action. This guide covers the full incident timeline, what was compromised, how to detect exposure, and a hardening checklist to protect your AI infrastructure going forward. For broader context on why AI infrastructure is becoming a primary attack surface, see our analysis of AI agent security in 2026, where the data shows 1 in 8 breaches now involves agentic systems.

Immediate action required: If you run LiteLLM in production and have not already rotated your AI provider API keys since March 24, do so now. Treat all keys in the LiteLLM environment as potentially compromised. The key rotation section of this guide covers the full scope of credentials to address.

What Happened: The March 24 Attack

The incident was disclosed publicly on March 24, 2026 after security researchers identified anomalous network traffic patterns originating from environments running LiteLLM. Investigation traced the behavior to malicious PyPI packages published as part of the TeamPCP campaign — a coordinated operation targeting AI infrastructure tooling across multiple open-source projects.

The malicious packages were not modifications to LiteLLM's official codebase. LiteLLM's core package published through its official maintainers was not itself compromised. The attack worked by publishing packages with names designed to be confused with legitimate LiteLLM plugins and optional dependencies — a technique combining typosquatting, dependency confusion, and in some cases targeted advertising of the fake packages in AI developer communities.

Incident Timeline

Early Mar 2026

TeamPCP begins publishing malicious packages to PyPI mimicking LiteLLM plugins. Initial download counts are low as the campaign tests package name viability.

Mar 18–23

Download volumes increase significantly as campaign promotion targets AI developer communities. Affected packages are installed into production environments at dozens of organizations.

Mar 24

Security researchers publish disclosure. PyPI removes identified malicious packages. LiteLLM maintainers publish security advisory. Affected organizations begin incident response.

Mar 24–25

Organizations begin credential rotation, log auditing, and forensic review of LiteLLM deployment environments. Incident response guidance published across AI developer community channels.

The attack exploited a structural vulnerability in how AI developers consume open-source tooling: the LiteLLM ecosystem has grown to include many optional plugins and provider-specific packages, and developers routinely install these from PyPI based on documentation references without verifying package provenance. TeamPCP understood this behavior and designed its campaign specifically to exploit it.

TeamPCP Campaign and Attack Vector

TeamPCP is a financially motivated threat actor group that has been observed targeting developer tooling ecosystems across multiple programming languages since 2024. The March 2026 LiteLLM campaign represents their most significant operation to date in terms of affected download volume and the sensitivity of the credentials targeted. The group operates with a level of operational sophistication that distinguishes them from opportunistic typosquatters.

Typosquatting

Package names differing by one character from legitimate LiteLLM plugins — dashes vs underscores, transposed letters, or appended version suffixes. Designed to be installed by developers mistyping package names.

Dependency Confusion

Packages named to match internal package names that some organizations use for LiteLLM configuration wrappers. Organizations with private registries configured to fall back to public PyPI were particularly vulnerable.

Social Engineering

Malicious Payload Behavior

Phase 1 — Environment enumeration (runs on import)

# Scans os.environ for keys matching AI provider patterns
# OPENAI_API_KEY, ANTHROPIC_API_KEY, COHERE_API_KEY, etc.
# Transmits matches via HTTPS POST to attacker endpoint

Phase 2 — Request interception (if loaded in pipeline)

# Hooks into LiteLLM request/response pipeline
# Forwards prompt content + model responses to C2
# Operates silently — no error output, no slowdown

Phase 3 — Persistence (in some variants)

# Adds secondary exfiltration to startup scripts
# Survives package removal if startup files not cleaned

The payload's operational security was notable. It used HTTPS with valid certificates for exfiltration traffic, mimicking normal API provider traffic patterns. It added no visible error output, no anomalous CPU or memory usage, and no behavioral signals that would trigger standard application monitoring. Detection required network traffic analysis looking for unexpected destination IPs in the AI provider traffic pattern — a level of inspection most organizations do not apply to their AI service deployments.

Scope of Exposure: 97M Monthly Downloads

LiteLLM's 97 million monthly downloads reflect its position as the de facto standard for LLM provider abstraction in Python AI applications. That download volume does not mean 97 million organizations were affected — a significant portion of downloads are CI/CD pipeline reinstallations of the same few thousand production deployments. But the scale indicates the breadth of the potential attack surface.

Directly Affected

Organizations that installed one or more TeamPCP malicious packages in their LiteLLM deployment environment between approximately March 10 and March 24. These organizations had credentials exfiltrated and potentially LLM traffic intercepted.

At-Risk Exposure

All organizations running LiteLLM in production should assume potential exposure until an audit confirms no malicious packages were installed. The campaign's use of multiple attack vectors means a clean requirements file does not guarantee safety if CI/CD pipeline installs were not also audited.

Downstream Risk

Organizations that did not use LiteLLM directly but used software built on LiteLLM face indirect exposure if that software was built in a compromised environment. SaaS products and internal tools built on LiteLLM during the affected window warrant supplier security review.

Unaffected

Organizations using LiteLLM through Docker images from the official ghcr.io registry with hash pinning, or through verified internal package mirrors with no public PyPI fallback, and with no manually installed plugins during the affected window.

The incident highlights a structural problem in AI infrastructure security: LLM proxies like LiteLLM occupy an extraordinarily privileged position in the AI stack. They sit between applications and model providers, routing all traffic and holding credentials for multiple providers simultaneously. A compromise at this layer is worse than an application-level compromise because it affects every model interaction across every application routed through the proxy. This is precisely why AI supply chain attacks are increasingly attractive to sophisticated threat actors, as explored in our analysis of shadow AI across 76% of organizations — where unmonitored AI tooling creates exactly the visibility gaps attackers exploit.

What Data Was Compromised

Understanding what the malicious payload targeted helps organizations prioritize their incident response and assess the full scope of potential business impact beyond the immediate credential rotation requirement.

AI provider API keys: The primary target. Keys matching OPENAI_API_KEY, ANTHROPIC_API_KEY, COHERE_API_KEY, GOOGLE_API_KEY, AZURE_OPENAI_API_KEY, MISTRAL_API_KEY, GROQ_API_KEY, and similar patterns were exfiltrated from environment variables on import. Keys in secrets managers accessed via environment variable references were equally vulnerable.

LLM request content: In deployments where the malicious package was loaded as part of the request pipeline (most configurations where it was imported as a plugin), full prompt content including system prompts and conversation history was forwarded to the attacker endpoint. This may constitute a data breach if prompts contained personal data, proprietary business information, or regulated data categories.

LLM response content: Model responses were also captured in pipeline interception mode. For applications using LiteLLM to process customer data or generate content containing business logic, response content exfiltration may reveal proprietary workflows, system prompt structures, and application logic.

Adjacent environment variables: The enumeration stage did not limit itself to known API key patterns — it targeted any environment variable whose name contained common credential indicators (KEY, SECRET, TOKEN, PASSWORD, CREDENTIAL). Database connection strings, webhook secrets, and other service credentials in the same environment should be considered exposed.

Organizations in regulated industries — healthcare, finance, legal — should assess whether the intercepted prompt content constitutes a reportable breach under applicable regulations (HIPAA, GDPR, CCPA, SOX). If LiteLLM was processing patient information, financial data, or other regulated categories, legal and compliance teams should be engaged immediately for breach notification assessment.

Immediate Detection and Audit Steps

Before rotating credentials and hardening your deployment, complete a forensic audit to establish whether and how your environment was affected. The order matters: audit first to understand scope, then rotate to remediate, then harden to prevent recurrence.

Package Audit Commands

List all installed packages in the LiteLLM environment

pip list --format=json > installed_packages.json

Check pip installation history (macOS/Linux)

cat ~/.local/share/pip/history 2>/ || pip log

Review outbound connections from the deployment (adjust time window and interface as needed)

# In container environments, check network logs
# Filter for HTTPS traffic to non-provider IPs
# Flag any requests to IPs not in your provider allowlist

Verify package hashes against PyPI records

pip hash ./path/to/package.whl
# Compare against known-good hash from PyPI

If your deployment runs in containers, pull the image manifest and review the layer history for unexpected package installations. For Kubernetes deployments, review admission controller logs for the affected time window. Check your CI/CD pipeline logs for any pip install steps that may have pulled packages not in your pinned requirements file.

Persistence check: Some TeamPCP variants add entries to startup scripts or profile files to ensure re-execution after the malicious package is removed. After package removal, audit ~/.bashrc, ~/.profile, /etc/profile.d/, and any Python startup scripts (PYTHONSTARTUP) in the deployment environment for unexpected additions.

API Key Rotation and Credential Hygiene

Credential rotation is not optional for any organization that ran LiteLLM during the affected window without confirmed clean audit results. The rotation sequence matters: create new keys before deactivating old ones to avoid service interruption, update all deployment environments with new keys, then deactivate and delete old keys.

Rotation Order

1.Generate new API keys at each provider dashboard
2.Update keys in all deployment environments (production, staging, CI/CD)
3.Verify services are functioning with new keys
4.Deactivate old keys at each provider
5.Monitor provider dashboards for usage on deactivated keys

Providers to Rotate

OpenAI (platform.openai.com/api-keys)
Anthropic (console.anthropic.com)
Cohere (dashboard.cohere.com)
Google AI Studio (aistudio.google.com)
Azure OpenAI (Azure portal)
Mistral AI (console.mistral.ai)
Groq (console.groq.com)
Together AI (api.together.ai)
Any other provider in your LiteLLM config

After rotation, implement secrets management as a structural improvement rather than continuing to pass credentials as environment variables. HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault all support dynamic secret issuance — generating short-lived credentials on demand rather than storing long-lived API keys. For AI provider keys specifically, use the minimum permissions scoping each provider allows (read-only keys where your use case permits, rate-limited keys for development environments).

Dependency Pinning and Verification

The root cause enabler of this attack was the combination of loose version specifications and public PyPI access without hash verification. Addressing both is required to prevent recurrence. These are not aspirational security improvements — they are standard software supply chain controls that should be in place for any production AI infrastructure.

Pinning and Hash Verification

requirements.txt — exact version with hash

litellm==1.35.0 \
    --hash=sha256:abc123...
    --hash=sha256:def456...

Install with hash enforcement

pip install --require-hashes -r requirements.txt

pyproject.toml (Poetry) — exact constraint

[tool.poetry.dependencies]
litellm = "1.35.0"  # exact, not "^1.35.0"

Disable PyPI fallback in private registry config (pip.conf)

[global]
index-url = https://your.private.registry/simple/
no-index = false
# Remove extra-index-url lines to prevent fallback

For teams using Docker-based LiteLLM deployments, pin the base image to a specific digest (not just a tag) and use multi-stage builds that install dependencies in a verified build stage and copy only the final artifacts to the runtime stage. This prevents the runtime container from having pip access and eliminates the attack surface for runtime package installation.

Hardening Your LiteLLM Deployment

Beyond package security, the LiteLLM deployment architecture itself can be hardened to limit the impact of any future compromise. These controls reduce the blast radius of a supply chain attack from catastrophic (all credentials exfiltrated, all traffic intercepted) to contained (limited blast radius, rapid detection).

Network Egress Filtering

Allow outbound HTTPS only to known AI provider endpoint IP ranges. Block all other outbound connections from the LiteLLM process. This prevents credential exfiltration even if a malicious package is installed — the exfiltration call to the attacker C2 is blocked at the network layer.

Request Logging and Anomaly Detection

Log all LiteLLM requests and responses with destination provider, token counts, and latency. Anomalous patterns — requests to unexpected providers, doubled latency suggesting request duplication, or unexpected token usage spikes — indicate potential interception.

Secrets Isolation

Run LiteLLM as a dedicated service account with minimal filesystem and environment variable access. Use a secrets manager with just-in-time credential injection rather than persistent environment variables. Rotate credentials on every deployment.

SBOM Generation

Generate a Software Bill of Materials for every LiteLLM container build using tools like Syft or Trivy. Store SBOM artifacts with each release and use them for automated comparison when new vulnerabilities are disclosed — you can immediately determine which of your deployed versions are affected.

Architecture recommendation: Consider running LiteLLM as an isolated sidecar or dedicated service with mutual TLS between your application and the proxy. This architectural separation means a compromised proxy cannot directly access application memory, filesystem, or environment variables beyond its own minimal runtime environment.

Broader AI Supply Chain Risk Landscape

The LiteLLM attack is not an isolated incident. It is a data point in a clear trend: as AI infrastructure tooling matures and becomes more widely deployed, it becomes a more attractive supply chain target. The economics are compelling for attackers — a single compromise of a widely-used AI proxy library can yield credentials for multiple AI providers across thousands of organizations simultaneously.

AI infrastructure has several properties that make it a particularly high-value supply chain target compared to traditional software dependencies. LLM proxies and SDKs hold credentials for multiple expensive API services. AI requests often contain sensitive data from users or proprietary business logic in system prompts. The AI tooling ecosystem is relatively young, with security practices lagging behind adoption rates. And many AI deployments run with broad permissions justified by the “it's just a developer tool” framing that has not caught up with production usage realities.

Package Scanning

Tools like Socket.dev, Snyk, and Semgrep Supply Chain detect malicious behavior patterns in new packages before installation. Integrate into your CI/CD pipeline for automated pre-install scanning of all AI/ML dependencies.

Update Policy

Establish a structured review process for AI dependency updates. Treat major AI infrastructure libraries (LiteLLM, LangChain, LlamaIndex) with the same update scrutiny applied to authentication and cryptography libraries.

Vendor Assessment

For AI tools built on top of LiteLLM or similar proxies, request supply chain security attestations from vendors. Ask whether they generate SBOMs, run dependency scanning, and have disclosed any exposure from the March 2026 incident.

The good news is that the defensive controls are well-understood. Software supply chain security has been a mature discipline in other contexts for years, and the same controls — dependency pinning, hash verification, private registries, SBOM generation, network egress filtering — apply directly to AI infrastructure. The gap is not knowledge but implementation: most AI teams have not yet applied these controls to their AI tooling with the same rigor they apply to their application infrastructure. The LiteLLM incident makes the cost of that gap concrete. For organizations assessing their broader AI security posture, our service page on AI and digital transformation covers how to build AI capabilities on a secure foundation.

Conclusion

The March 24 LiteLLM supply chain attack is a watershed moment for AI infrastructure security. The combination of 97 million monthly downloads, privileged credential access, and full LLM traffic visibility made LiteLLM an ideal target for the TeamPCP campaign. The incident demonstrates that AI infrastructure tools are now firmly within the adversarial threat model and must be treated accordingly.

The immediate priorities are clear: rotate all affected credentials, audit for malicious packages and persistence, and pin dependencies with hash verification going forward. The longer-term priority is building an AI infrastructure security posture that treats supply chain risk as a first-class concern — with the same rigor applied to authentication libraries, cryptographic code, and other privileged dependencies. The tooling and practices exist. The question is whether AI teams apply them before the next incident.

Build AI Infrastructure You Can Trust

Secure AI deployment is not just about the models — it requires supply chain controls, credential hygiene, and architecture decisions made from the start. Our team helps organizations build AI capabilities on a secure foundation.

Get Started Explore AI & Digital Transformation

Free consultation

Expert guidance

Tailored solutions