Have you been pwned?

On March 24, 2026, compromised versions of litellm were published to PyPI. They were live for 46 minutes before PyPI quarantined them.

We analyzed every package that depends on litellm, using the dependency specs that existed at the time of the attack, before any maintainers patched.

Original disclosure · Accompanying blog post

2,337

Depend on litellm

88%

Exposed

1,671

Unpinned

283

Protected

46 min

Window

The two attack vectors

1.82.8 - Install-triggered

10:52 UTC

Malicious .pth file executes on any Python startup, including pip install itself. Exfil to models[.]litellm[.]cloud. If your resolver picked this version, the payload ran before your code.

1.82.7 - Import-triggered

10:39 UTC

Payload injected into proxy_server.py, drops p.py. Only fires when litellm.proxy is imported. Exfil to checkmarx[.]zone/raw. If you only used the SDK without the proxy, you were safe.

Methodology: We queried the BigQuery PyPI dataset for all packages listing litellm as a dependency, filtered to the version of each package that was latest at the time of the attack (March 24, 2026 11:25 UTC). Results reflect the dependency specs during the attack window, before maintainers patched to exclude 1.82.7/1.82.8. We cross-referenced each with the PyPI API for release timing and deps.dev for dependent counts. Packages not in our dataset are checked live against PyPI (using current specs, which may differ from attack-time).