On March 24, 2026, the popular Python library LiteLLM—which provides a unified interface for various Large Language Models—was the target of a sophisticated supply chain attack. Malicious code was injected into versions 1.82.7 and 1.82.8 of the package on PyPI. The attack is attributed to a threat actor known as TeamPCP, who gained access to LiteLLM’s publishing pipeline by first compromising Trivy, an open-source security scanner used in LiteLLM's CI/CD process.

The compromise is particularly significant due to LiteLLM's wide adoption, with roughly 3.4 million daily downloads (nearly 97 million monthly).

The Attack Vector and Payload

The attackers used a poisoned Trivy GitHub Action to exfiltrate a PyPI publish ...