A supply chain attack on LiteLLM—downloaded 3 million times daily—compromised version 1.82.8 on PyPI for roughly 40 minutes, infecting over 40,000 downloads with malware designed to steal API keys, cloud credentials, SSH keys, and crypto wallets. FutureSearch researcher Callum McMahon discovered the attack when his 48GB Mac ground to a halt after simply launching a local MCP server through Cursor, which automatically pulled the compromised package.
This hits different than typical supply chain attacks because LiteLLM sits at the heart of most AI infrastructure stacks. When your unified API gateway for 63+ AI providers gets compromised, attackers don't just get your OpenAI keys—they get everything. AWS credentials, Kubernetes configs, shell history, the works. We saw this pattern two weeks ago with the Trivy scanner attack, and now it's accelerating. AI tooling has become the new attack vector of choice.
Ironically, the malware's sloppy implementation saved us from much worse damage. The .pth file launcher created a recursive fork bomb that crashed infected systems within minutes, alerting victims immediately. Without this coding mistake, the exfiltration could have run silently for weeks or months, noted Andrej Karpathy. PyPI's security team quarantined the package within 40 minutes of McMahon's report.
Developers should audit their environments immediately using Point Wild's open-sourced "who-touched-my-packages" scanner or FutureSearch's litellm-checker tool. More critically, pin your AI dependencies to specific versions and use private package mirrors for production deployments. The AI supply chain is under active attack—treat it accordingly.