← CIO Briefings · High Impact ACTION REQUIRED

Backdoored AI Library on PyPI Exposes Cloud Credentials and Kubernetes Access

A coordinated supply chain attack backdoored LiteLLM — an AI gateway library with three million daily downloads — on the Python Package Index on 24 March 2026. Any system that installed the package during a 40-minute window received malware that silently harvested cloud credentials, Kubernetes secrets, and CI/CD tokens. The attacker gained access by first compromising a security scanning tool used in LiteLLM's own build pipeline.

4 min read
#NIS2#ISO-27001#SOC2

What Happened

On 24 March 2026, threat actor TeamPCP published malicious versions of the litellm Python package to the Python Package Index (PyPI). LiteLLM is a library that provides a unified API gateway for accessing commercial AI models including OpenAI GPT-4, Anthropic Claude, Google Gemini, and over 100 other large language model providers. It has approximately three million daily downloads and is embedded as a dependency in numerous AI development frameworks.

The attacker did not hack LiteLLM directly. Instead, they compromised a Trivy security scanning GitHub Action used in LiteLLM’s automated release pipeline — capturing the PyPI publish credentials from the build environment. The malicious packages were live for approximately 40 minutes before being removed.

Any organisation that installed or rebuilt applications using LiteLLM during that window received malware that automatically executed on every Python process startup — not just when LiteLLM was explicitly imported.

Business Impact

What was taken from compromised systems:

The malware was designed for maximum credential harvesting on first run. It captured and encrypted:

  • Cloud provider API keys and IAM credentials: AWS access keys and secret keys, Azure service principal credentials, Google Cloud service account keys
  • Kubernetes configuration: cluster credentials, service account tokens, namespace-level secrets — providing potential access to container orchestration infrastructure
  • CI/CD pipeline secrets: GitHub Actions tokens, GitLab CI variables, CircleCI environment secrets — which can be used to further compromise build pipelines
  • Database connection strings, SSH keys, Docker credentials, and application secrets from environment variables and configuration files

All exfiltrated data was encrypted and sent to an external endpoint. The malware also installed a persistent backdoor independent of the LiteLLM package — simply removing the package does not remove the malware.

The transitive dependency risk:

LiteLLM is embedded as a transitive dependency in AI agent frameworks, Model Context Protocol (MCP) servers, and LLM orchestration platforms. Organisations may be exposed even if they have no direct LiteLLM usage — any application whose dependency tree resolved to litellm==1.82.7 or 1.82.8 during that 40-minute window is potentially compromised.

Regulatory Implications

Organisations operating under NIS2 (in the EU), ISO 27001, or SOC 2 frameworks have explicit supply chain security obligations. The NIS2 Article 21 mandate for supply chain security risk management means in-scope entities must assess their software supply chain exposure — open-source package dependencies included — and have controls for detecting and responding to supply chain compromise events of this type.

Where compromised cloud credentials resulted in access to systems holding personal data, GDPR breach notification obligations may be triggered under Article 33 (72-hour notification to supervisory authority) if the compromise meets the threshold of a risk to the rights and freedoms of individuals.

Board-Ready Summary

  • A widely-used AI infrastructure library was secretly backdoored on its official download channel on 24 March. Any development system, cloud environment, or CI/CD pipeline that installed the package during a 40-minute window is likely compromised.
  • The malware harvested cloud credentials and Kubernetes access — not just from the LiteLLM application, but from everything on the system. Attackers now potentially hold keys to AWS, Azure, Google Cloud, and Kubernetes environments.
  • Removing the package is not enough. The malware installs a persistent backdoor. Affected systems must be rebuilt from clean images and all credentials must be rotated.
  1. Audit all environments for installations of litellm==1.82.7 or litellm==1.82.8: check Python environments, Docker build logs, and CI/CD pipeline artefacts from 24 March 2026
  2. If affected, treat the environment as fully compromised: rebuild containers from clean base images and re-image virtual machines — do not attempt to clean in place
  3. Rotate all credentials immediately that were present on affected systems: AWS IAM keys, Azure service principals, GCP service accounts, Kubernetes service accounts, database passwords, CI/CD tokens, and SSH keys
  4. Audit Kubernetes clusters for unexpected new pods, service accounts, role bindings, or namespace-level secret access from approximately 24 March onwards
  5. Check cloud provider usage logs for API calls or resource changes from around 24 March that you cannot account for in normal operations
  6. Brief your engineering leadership and CISO if your organisation uses AI development tooling — this attack targets the infrastructure layer beneath AI applications and the blast radius extends to cloud accounts and CI/CD systems