On the morning of 24 March 2026, a researcher at an AI company noticed his computer had started behaving strangely — processes consuming all available memory, the machine grinding to a halt. When he investigated, he found that a routine software update had silently turned his development environment into a credential harvesting machine, quietly collecting every password, key, and secret it could find and sending them to a server controlled by strangers.
The tool was litellm. The update was versions 1.82.7 and 1.82.8. And the damage was done before anyone knew it had started.
What actually happened
LiteLLM is a widely used software library in the AI development world. It acts as a universal connector — a single piece of software that lets developers build applications which talk to AI services from dozens of different providers. It is downloaded approximately 95 million times every month, and it sits at the heart of countless AI-powered products and pipelines.
On the morning of 24 March, a group called TeamPCP used stolen credentials to publish two malicious versions of litellm to PyPI — the public software repository where developers download Python packages. The poisoned versions looked identical to the real thing. They passed all standard security checks. They had the correct package name, the correct publisher identity, and the correct file signatures. Nothing about them appeared wrong.
Once installed, they got to work immediately. The malicious code collected SSH keys, cloud service credentials, API keys, database passwords, environment variables, and cryptocurrency wallet details from the host machine. It encrypted everything it found and sent it to a server registered by the attackers just the day before. On some machines, the payload also attempted to establish a persistent backdoor — a hidden door that would remain open even after the malicious package was removed.
The poisoned versions remained available for approximately three hours before security researchers detected them and PyPI quarantined the entire litellm package.
Who was affected, and for how long?
Any developer or organisation that ran pip install litellm — the standard command to install or update the package — between 10:39 UTC and approximately 13:30 UTC on 24 March 2026 may have received a compromised version. Given litellm's download volume, even a three-hour window represents potentially tens of thousands of affected installations.
Developers who had pinned their installation to a specific earlier version — meaning they had deliberately locked their software to version 1.82.6 or below — were not affected. Users of the official LiteLLM Docker image were also not affected, as that deployment method pins its own version independently.
The LiteLLM team has confirmed the incident, engaged Google's Mandiant security team for forensic analysis, and paused all new releases while a full review of their publishing pipeline is completed. All maintainer accounts have been rotated.
The full scope of credential theft is not yet known. Security researchers have warned that any organisation whose systems installed the poisoned versions should treat every credential accessible from those systems as compromised — and rotate them immediately.
What the headlines got wrong
Some coverage has framed this as "AI going rogue" or suggested the AI itself was weaponised. That is not accurate.
LiteLLM is a software library that helps developers talk to AI services. The AI models themselves were not compromised. What was compromised was a software distribution system — the human-run infrastructure through which developers trust and receive code updates.
The malicious payload targeted the host computer's stored secrets, not the AI models. It was written by humans, deployed by humans, and designed to steal from humans. The AI angle is incidental. This is a supply chain attack — a very old and very human technique applied to a very modern target.
Why does this kind of thing happen?
This attack is the end of a chain that started five days earlier and several steps removed from litellm itself.
On 19 March, TeamPCP compromised Trivy — a popular security scanning tool used by many software projects, including litellm, to check their own code for vulnerabilities. By poisoning the security scanner, the attackers gained access to the credentials that litellm's own automated systems used to publish new versions. They used those stolen credentials on 24 March to publish the malicious versions directly — bypassing litellm's normal development process entirely.
This is the uncomfortable irony at the centre of the story. The attack began by compromising a security tool. The defenders' own infrastructure became the entry point.
The deeper lesson is about trust in the software supply chain. When developers install a package update, they are trusting not just the software itself but the entire chain of people, tools, and systems that produced and delivered it. TeamPCP found a weak link early in that chain and followed it all the way to its most valuable target.
Could there be fines or consequences?
The LiteLLM team has filed no public regulatory disclosures at the time of writing, though the investigation with Google's Mandiant is ongoing. Where credentials stolen from affected environments are subsequently used in further breaches — which security researchers consider likely — those downstream incidents may trigger their own regulatory and legal consequences under GDPR and equivalent frameworks, depending on what data is ultimately accessed.
The FBI's Assistant Director of Cyber has publicly warned to expect a wave of follow-on breach disclosures and extortion attempts in the coming weeks as stolen credentials are worked through by the attackers.
What does this mean for me?
If you are a developer or work in a technical role, check immediately whether litellm versions 1.82.7 or 1.82.8 were installed in any of your environments — including development machines, build pipelines, and Docker images. If they were, treat all credentials accessible from those systems as compromised and rotate them without delay. Do not simply upgrade — the payload may have already run.
Also check the telnyx package. On 27 March — three days after the litellm attack — TeamPCP used credentials believed to have been stolen from litellm environments to poison another package, telnyx (versions 4.87.1 and 4.87.2), a telephony SDK. If your environments installed those versions between 03:51 UTC and 10:13 UTC on 27 March, treat them as compromised in the same way.
If you are not a developer, this story is a reminder that the software powering the tools and services you use every day is itself built on layers of other software, each of which must be trusted and maintained by humans. When one of those layers is compromised, the effects can ripple outward in ways that are difficult to predict.
For everyone: auto-updating software is convenient, but it is not always safe. In professional and development environments, pinning to a known safe version and updating deliberately — rather than automatically — is a meaningful protection against exactly this kind of attack.
The broader lesson
TeamPCP's campaign did not begin with litellm. It began with a security scanner, moved through a code analysis tool, spread across npm packages, and eventually reached one of the most widely used libraries in AI development. At each step, the credentials stolen from one compromised system became the key that unlocked the next.
This is supply chain thinking applied as an attack strategy. The target was never any single piece of software. The target was the web of trust that connects them all.
Three days after the litellm attack, TeamPCP used credentials harvested from compromised litellm environments to poison telnyx — following exactly the same playbook. The campaign now spans six separate software ecosystems. TeamPCP has publicly announced a collaboration with a ransomware group, signalling an intent to turn stolen credentials into large-scale extortion operations. The FBI has warned that a wave of follow-on breach disclosures should be expected in the weeks ahead.
This is not a story with a clean ending. It is a story that is still being written.
Software supply chain security has been a known and growing risk for years. Incidents like this one — alongside last week's Stryker story, where disrupting a supplier was enough to affect NHS hospitals — are reminders that the weakest link in any system is rarely the most obvious one.
The humans who designed and executed this attack understood that perfectly.
🧠 The Human Factor
| Technology involved | LiteLLM Python library (versions 1.82.7 and 1.82.8), PyPI software repository, and the Trivy security scanner whose compromise provided the initial foothold |
| Root cause | A coordinated human-run campaign (TeamPCP) that stole publishing credentials by first compromising a trusted security tool, then used those credentials to inject malicious code into a legitimate, widely trusted software package |
| What was at risk | SSH keys, cloud service credentials, API keys, database passwords, and any other secrets accessible on systems where the poisoned versions were installed — potentially across tens of thousands of developer and production environments, with stolen credentials now being used to target further packages |
| Prevention | Pin software dependencies to verified specific versions rather than auto-updating to latest; audit update pipelines; treat any system that installed the affected versions as fully compromised and rotate all credentials |
References and sources
- LiteLLM official security update (March 2026) — docs.litellm.ai
- FutureSearch original disclosure (24 March 2026) — futuresearch.ai
- Datadog Security Labs: LiteLLM and Telnyx compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign (updated 27 March 2026) — securitylabs.datadoghq.com
- Sonatype: Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer — sonatype.com
- Snyk: How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM — snyk.io
- Endor Labs: TeamPCP Isn't Done and TeamPCP Strikes Again: Telnyx Compromised Three Days After LiteLLM (27 March 2026) — endorlabs.com
- The Hacker News: TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise and TeamPCP Pushes Malicious Telnyx Versions to PyPI
- FBI Assistant Director of Cyber Division public warning on expected follow-on breach disclosures (27 March 2026)
- CVE-2026-33634 (Trivy upstream compromise)
This is a developing story. TeamPCP's campaign is confirmed ongoing. Last updated: 30 March 2026 We update breaking stories as new information becomes available.