LiteLLM is the latest victim in TeamPCP’s spree of attacks targeting the open source ecosystem. Previously, Wiz has covered the compromises of Aqua Security’s Trivy and a set of Checkmarx GitHub Actions and OpenVSX extensions. LiteLLM is an open-source Python library and proxy server that acts as a universal translator, converting API requests for over 100 different Large Language Models into the standard OpenAI format. Our data shows that LiteLLM is present in 36% of cloud environments, signifying the potential for widespread impact.
Update 03/25: LiteLLM has published an official and actively maintained Security Update.
Malicious versions of the LiteLLM python package (1.82.7 and 1.82.8) were published on the morning of 24 March 2026. The compromised packages employed two different methods to deliver their payload. The packages were published at approximately 8:30 UTC and quarantined by PyPI at 11:25 UTC. An PyPI advisory has been posted here, identifying an API token exposed via the prior Trivy incident as the root cause. Wiz customers can check their environment via the Wiz Threat Center.
Comparison of 1.82.6 and 1.82.7 with malicious addition highlighted in redMalicious pyproject.toml file with injection highlightedRedacted version of litellm_init.ph
Once executed, the payload performs the same extensive data collection across the host seen in the KICS operation. It targets environment variables (including API keys and tokens), SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configs, CI/CD secrets, Docker configs, database credentials, and even cryptocurrency wallets. The collected data is encrypted using AES-256, with the key further encrypted using an embedded RSA public key, and exfiltrated to an attacker-controlled domain (checkmarx[.]zone in 1.82.7, models[.]litellm[.]cloud in 1.82.8).
The LiteLLM script utilizes the same basic and Kubernetes based persistence mechanisms seen in the KICS operation. They continue to use checkmarx.zone/raw as the callout for their persistent python script.
How Wiz can help?
Wiz customers should continue to monitor the advisory in the Wiz Threat Center for ongoing guidance, pre-built queries, and references to relevant detections they can use to assess the risk in their environment.
