Install-Time Execution Expands Supply-Chain Blast Radius

Issue 83 Edition 2026-03-24 5 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-04-12 10:19

Key takeaways

A malicious payload placed in a Python .pth file can execute upon installation of the package, even if the package is never imported.
LiteLLM v1.82.7 contained an exploit located in proxy/proxy_server.py that required importing the package to take effect.
When installed on a system, the credential stealer attempts to collect secrets from locations including SSH keys, Git credentials, AWS and Kubernetes config, and shell history files.
A referenced issue contains a detailed description of the credential stealer’s behavior, and a separate source describes the exploit timeline.
Stolen PyPI credentials were used to publish vulnerable LiteLLM packages.

A malicious payload placed in a Python .pth file can execute upon installation of the package, even if the package is never imported.

LiteLLM v1.82.7 contained an exploit located in proxy/proxy_server.py that required importing the package to take effect.

When installed on a system, the credential stealer attempts to collect secrets from locations including SSH keys, Git credentials, AWS and Kubernetes config, and shell history files.

A referenced issue contains a detailed description of the credential stealer’s behavior, and a separate source describes the exploit timeline.

Which exact LiteLLM versions/releases were compromised, and which ones used install-time (.pth) execution versus import-time execution?
What is the exact exploit timeline (first malicious publish time, detection time, removal/mitigation time) described by the separate source?
What are the concrete indicators of compromise (file hashes, domains/IPs contacted, process behaviors) described in the referenced issue?
Did the credential stealer successfully exfiltrate secrets (and to where), or is the corpus only describing attempted collection?
How were the PyPI credentials obtained (phishing, token leak, CI secret exposure), and what preventive control failed?

Install-time execution in Python packages increases perceived risk in open-source dependency chains, potentially driving incremental spend on software supply-chain security, SBOM, and dependency scanning tools, especially for CI build environments.
Credential harvesting focused on developer and cloud secret stores can increase demand for secrets management, rotation, and endpoint detection tailored to developer workstations and CI runners.
Stolen package registry credentials enabling seemingly legitimate releases may raise interest in publisher account protection such as MFA enforcement, signing, and provenance tooling across package ecosystems.

Primary-source timeline identifying exact compromised LiteLLM versions and whether install-time .pth execution was used, clarifying exposure scope beyond import-time activation.
Published indicators of compromise such as file hashes, domains or IPs contacted, and process behaviors, enabling measurable detection and incident scoping.
Evidence that secrets were actually exfiltrated and where they were sent, plus confirmation of how PyPI credentials were obtained and which control failed.

Credible clarification that affected releases only executed on import, not at install time, materially reducing blast radius for environments that never import the package.
Forensic findings showing the stealer only attempted local collection without successful exfiltration, limiting downstream credential-compromise impact.
Definitive attribution that PyPI publishing credentials were not compromised and releases were not from the official account, weakening the account-compromise read-through.