What happened

Malicious versions of litellm shipped to PyPI in March 2026 contained a multi-stage stealer that acts both as a credential harvester and a dropper for follow-on payloads.

Because LiteLLM sits in front of every major LLM provider, the package had access to OpenAI, Anthropic, Google, Cohere, Bedrock, and Azure OpenAI keys via the standard environment variables and config files — making this a one-stop shop for the attacker.

Impact

Attackers gained API keys to *every* LLM provider configured in affected environments, plus the dropper stage opened follow-on access for further compromise.