Active Supply-Chain Compromise Confirmation And Escalation Path

Issue 85 Edition 2026-03-26 5 min read

General

Sources: 1 • Confidence: High • Updated: 2026-04-12 10:20

Key takeaways

The malicious package version litellm==1.82.8 was live on PyPI at the time described in the source.
McMahon used Claude conversation transcripts to confirm the vulnerability and decide on response actions.
The litellm-1.82.8 wheel contained a file named litellm_init.pth with size 34628 bytes.
Anyone installing or upgrading litellm while the malicious 1.82.8 release is live is expected to be infected.
The beginning of litellm_init.pth contains code that spawns a Python subprocess to base64-decode and execute embedded payload content.

The malicious package version litellm==1.82.8 was live on PyPI at the time described in the source.
Callum McMahon reported the LiteLLM malware attack to PyPI.
A fresh download from PyPI was tested in an isolated Docker container to confirm the compromise.
The source recommends reporting the incident immediately to security@pypi.org.

McMahon used Claude conversation transcripts to confirm the vulnerability and decide on response actions.
After confirming malicious code in an isolated Docker container, Claude suggested using the PyPI security contact address.
McMahon used the claude-code-transcripts tool to publish the conversation transcript.

The litellm-1.82.8 wheel contained a file named litellm_init.pth with size 34628 bytes.
The beginning of litellm_init.pth contains code that spawns a Python subprocess to base64-decode and execute embedded payload content.

Anyone installing or upgrading litellm while the malicious 1.82.8 release is live is expected to be infected.

Was litellm==1.82.8 yanked/removed from PyPI, and if so, when relative to the report?
What is the full decoded payload content and what actions does it perform post-execution (e.g., persistence, exfiltration, lateral movement)?
Does the malicious behavior execute automatically on standard installation/upgrade paths across common environments, or only under specific conditions?
Are other LiteLLM versions, distributions (wheel vs other artifacts), or related packages affected beyond litellm==1.82.8?
How widely was the compromised artifact downloaded/installed during the live period (approximate download counts, impacted organizations)?

Open-source package registry incidents can raise near-term demand for software composition analysis, dependency monitoring, and package allowlisting, as teams hunt for compromised artifacts like the .pth file and assess installs during the exposure window.
Organizations may tighten Python supply-chain controls such as pinning versions, using internal mirrors, and blocking installs from public registries during active compromise windows, increasing focus on tooling that enforces provenance and policy.
Publishing LLM transcripts in incident workflows may accelerate adoption of LLM-enabled security operations tooling, but could also elevate scrutiny on reliability and confidentiality practices in security response processes.

PyPI or package maintainers confirm timeline actions such as removal or yanking of litellm 1.82.8 and publish incident notes clarifying exposure window.
Reproducible sandbox reports show automatic execution on standard install or upgrade paths and provide decoded payload behavior, plus clear indicators teams can scan for beyond the .pth filename and size.
Public download metrics or disclosed victim counts indicate meaningful reach during the live period, driving broader remediation activity and tooling spend.

Registry-side statements show the malicious release was quickly removed with limited distribution, reducing expected remediation intensity.
Analysis shows the .pth execution path does not run in common installation environments or requires uncommon conditions, lowering real-world impact.
Forensics find the decoded payload is inert or non-functional, or the wheel content indicates a false positive, undermining the infection expectation.