Install Time Execution Via Python Packaging

Issue 83 Edition 2026-03-24 5 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-03-25 17:55

Key takeaways

A malicious payload placed in a Python .pth file can execute on package installation, so installing the compromised LiteLLM package is sufficient to trigger credential-stealing behavior even if the library is never imported.
LiteLLM v1.82.7 contained an exploit located in proxy/proxy_server.py that required importing the package to activate.
On systems where the compromised package is installed, the credential stealer attempts to collect secrets from common locations including SSH keys, Git credentials, AWS configuration, Kubernetes configuration, and shell history files.
Stolen PyPI credentials were used to publish the vulnerable LiteLLM packages to PyPI.
The referenced article links to an issue describing the credential stealer’s behavior and separately links to a source describing the exploit timeline.

A malicious payload placed in a Python .pth file can execute on package installation, so installing the compromised LiteLLM package is sufficient to trigger credential-stealing behavior even if the library is never imported.

LiteLLM v1.82.7 contained an exploit located in proxy/proxy_server.py that required importing the package to activate.

On systems where the compromised package is installed, the credential stealer attempts to collect secrets from common locations including SSH keys, Git credentials, AWS configuration, Kubernetes configuration, and shell history files.

Stolen PyPI credentials were used to publish the vulnerable LiteLLM packages to PyPI.

The referenced article links to an issue describing the credential stealer’s behavior and separately links to a source describing the exploit timeline.

Which exact LiteLLM versions and which exact distributions (filenames, hashes) were compromised with the .pth install-time trigger versus the import-time trigger?
What is the exploit timeline (initial compromise time, publication time(s), discovery time, removal/mitigation time) and what is the authoritative source for it?
What are the concrete indicators of compromise (files created/modified, network destinations, process behavior) associated with the credential stealer described?
Did the credential stealer successfully exfiltrate secrets in real-world cases, and if so, which credential types were actually used for follow-on access?
Is the publication pathway via stolen PyPI credentials confirmed, and what evidence supports or refutes it (account activity, maintainer confirmation, PyPI logs)?

Broader security tooling demand: install-time execution via Python packaging increases exposure in CI and build images, potentially driving spending on dependency scanning, artifact integrity, and CI hardening.
Higher sensitivity of developer and build environments: targeting SSH, Git, cloud, and Kubernetes secrets suggests elevated focus on workstation and build agent credential protection and secret management controls.
Supply-chain trust pressures on package ecosystems: stolen PyPI credentials used to publish compromised packages could increase demand for stronger publisher authentication and provenance in open-source distribution.

Authoritative timeline and version scope published, specifying exact LiteLLM versions and distributions affected by install-time .pth trigger versus import-time trigger, plus hashes and release times.
Concrete indicators of compromise documented: files created or modified, network destinations, and process behavior tied to the credential stealer, enabling reliable detection and incident scoping.
Evidence confirming publication via stolen PyPI credentials, such as maintainer confirmation or platform logs showing account compromise and malicious release activity.

Validated analysis shows no install-time .pth execution in released artifacts, limiting activation to import-time behavior and reducing exposure in install-only environments.
Forensics indicates the credential stealer did not exfiltrate or could not access meaningful secrets in practice, with no credible reports of follow-on credential misuse.
Publishing pathway attribution is refuted, showing no PyPI credential theft or account compromise and indicating an alternative, non-repeatable distribution mechanism.