Pypi Supply Chain Compromise Indicators And Execution Mechanism

Issue 85 Edition 2026-03-26 5 min read

General

Sources: 1 • Confidence: High • Updated: 2026-03-27 10:08

Key takeaways

Inspection of the litellm==1.82.8 wheel found a file named litellm_init.pth with size 34628 bytes.
McMahon used Claude conversation transcripts to confirm the vulnerability and decide on response actions.
Callum McMahon reported the LiteLLM malware attack to PyPI.
The beginning of litellm_init.pth contains code that spawns a Python subprocess to base64-decode and execute embedded payload content.
The malicious package version litellm==1.82.8 was live on PyPI at the time described in the document.

Inspection of the litellm==1.82.8 wheel found a file named litellm_init.pth with size 34628 bytes.
The beginning of litellm_init.pth contains code that spawns a Python subprocess to base64-decode and execute embedded payload content.
The malicious package version litellm==1.82.8 was live on PyPI at the time described in the document.
A fresh download from PyPI was tested in an isolated Docker container to confirm the compromise.

McMahon used Claude conversation transcripts to confirm the vulnerability and decide on response actions.
After confirming malicious code in an isolated Docker container, Claude suggested using the PyPI security contact address.
McMahon used the claude-code-transcripts tool to publish the transcript of the conversation.

Callum McMahon reported the LiteLLM malware attack to PyPI.
The document states that anyone installing or upgrading litellm while the malicious 1.82.8 release is live is expected to be infected.
The document recommends reporting the incident immediately to security@pypi.org.

Was litellm==1.82.8 removed or yanked from PyPI, and if so, when relative to the report?
What is the full behavior of the embedded payload beyond the base64 decode/execute mechanism (e.g., network activity, credential access, persistence, lateral movement)?
Under what exact conditions does the .pth-based code execute during installation or runtime in typical environments, and was execution directly observed during the sandbox test?
How did the malicious artifact enter the PyPI distribution channel (account compromise, compromised build pipeline, malicious maintainer action, or dependency confusion)?
What is the authoritative list of compromised versions/files and their cryptographic hashes, if any, as published by PyPI or maintainers?

A live malicious release on PyPI highlights recurring software supply chain risk for Python packages, potentially increasing enterprise scrutiny of third party dependencies and demand for package integrity controls and monitoring.
The described .pth auto execution mechanism suggests attackers can leverage install or import time hooks, a read through to greater adoption of sandboxed builds, artifact scanning, and reproducible verification workflows.
Use of an LLM and published transcripts in incident triage indicates emerging tooling and services around LLM assisted security operations, documentation, and response playbooks.

PyPI or maintainers publish an authoritative list of compromised versions and cryptographic hashes, plus clear timeline of when litellm 1.82.8 was removed or yanked.
Independent analysis details the embedded payload behavior beyond base64 decode and execute, including whether it performs network activity, credential access, persistence, or lateral movement.
Reproducible sandbox tests show the .pth file executes under typical install or runtime conditions, with logs demonstrating when and how execution occurs.

Maintainers and PyPI verify the file was not malicious or was a false positive, and provide a benign explanation for the .pth content and stated file size.
Evidence shows the malicious artifact was not broadly distributed, was promptly removed before meaningful exposure, or was never live as described.
Analysis shows the .pth based code does not execute in common environments or requires rare conditions that materially limit real world impact.