95 Million Downloads. Poisoned by Its Own Security Scanner.
You never installed LiteLLM. CrewAI did. For 5 hours on March 24, every Python process on your machine was stealing your AWS keys, SSH credentials, and Kubernetes tokens.
95 million downloads per month. 5 hours of exposure.
Most victims never typed pip install litellm. They installed CrewAI (multi-agent orchestration), DSPy (LLM programming framework), or Browser-Use (AI browser automation). LiteLLM came along as a dependency, silently.
In software, a dependency is a package your tool needs to work. You install one thing, and it quietly pulls in dozens of others. You never see them, you never approve them, but they run on your machine with the same permissions you have.
And on March 24, 2026, that silent dependency began stealing every credential from their machines for 5 hours.
The attacker did not hack LiteLLM directly. They poisoned Trivy, the vulnerability scanner LiteLLM is used in its CI/CD pipeline to stay secure. The tool designed to protect the package became the weapon that compromised it.
Think of it like a locksmith copying your house key while changing your locks.
The malicious versions (1.82.7 and 1.82.8) harvested
- SSH keys, the private keys that let you log into servers without a password
- AWS credentials, access to your Amazon cloud infrastructure), Kubernetes tokens (control over your container orchestration clusters)
- Cryptocurrency wallets and API keys, the passwords your software uses to talk to other services from every infected system.
Version 1.82.8 went further: it planted a .pth file that ran on every Python process, not just when someone imported LiteLLM. Your IDE language server, your test runner, your cron jobs. All of them became credential thieves.
The fix that would have prevented this attack has been available since 2023. LiteLLM did not use it.