This is not a theoretical supply chain risk. This happened. And it exposed exactly why every AI agent's dependencies need to be scanned before they're allowed to execute.
What Happened: The LiteLLM Compromise
At approximately 18:00 UTC on March 24, 2026, an attacker compromised the PyPI account of a LiteLLM maintainer and published two malicious versions:
- v1.82.7 — Initial compromise, activated on import
- v1.82.8 — Escalated compromise, activates on any Python startup via
.pthfile (no explicit import required)
The LiteLLM team confirmed the incident on GitHub and engaged Google Mandiant for incident response. Compromised packages were removed from PyPI within hours, but not before an unknown number of developers installed them.
The Payload: What the Attackers Stole
The malicious code performed comprehensive credential harvesting from infected systems:
| Target | What Was Stolen |
|---|---|
| Environment Variables | API keys, service tokens, secrets stored in process.env |
| SSH Keys | Private SSH keys from ~/.ssh/ |
| Cloud Credentials | AWS, GCP, Azure, Kubernetes credentials |
| Crypto Wallets | Private keys and wallet files |
| Database Passwords | Connection strings and credentials |
| SSL Private Keys | TLS/SSL certificates and keys |
| Shell History | Bash/zsh history with potential secrets |
| CI/CD Configs | Pipeline configurations and deployment tokens |
The Exfiltration Method
Stolen data was:
- Encrypted with AES-256-CBC + RSA-4096
- Chunked into transmission-ready packets
- Exfiltrated via
curl POSTtolitellm.cloud— a domain registered just hours before the attack
The domain registration timing suggests a coordinated operation: register infrastructure, compromise maintainer account, publish malicious versions, harvest credentials, remove packages to limit detection window.
The Threat Actor: TeamPCP
Security researchers have attributed this attack to TeamPCP, a threat actor group known for PyPI supply chain compromises targeting AI/ML tooling. Their modus operandi:
- Compromise maintainer accounts via credential stuffing or phishing
- Publish malicious versions with short dwell time
- Target packages used in AI/ML pipelines specifically
- Exfiltrate credentials for follow-on attacks or sale
The AI agent ecosystem — with its combination of powerful capabilities, environment variable-based credential storage, and rapid dependency adoption — represents a high-value target for groups like TeamPCP.
Why This Attack Succeeded
The LiteLLM compromise exploited a structural vulnerability in how AI agents handle dependencies:
1. Trust by Default
Most AI agent developers install dependencies with pip install litellm and no further verification. The assumption: if it's on PyPI and widely used, it's safe. This attack proves that assumption wrong.
2. Environment Variable Credential Storage
AI agents like OpenClaw, Claude Code, and Cursor store API keys in environment variables that any installed package can read. There's no permission boundary preventing a malicious dependency from accessing process.env and exfiltrating everything.
3. No Pre-Execution Scanning
Developers don't scan packages before installing them. There's no automated check for:
- Suspicious network calls to unknown domains
- Environment variable access patterns
- File system enumeration of sensitive paths
- Obfuscated or encoded payloads
The SkillShield Response: External Scanning
This is exactly the threat model SkillShield was designed to address. Our external-scanner model would have caught this attack before it reached any agent:
How SkillShield Would Have Detected LiteLLM v1.82.7/v1.82.8
$ skillshield scan litellm==1.82.8
🔴 CRITICAL: Suspicious network endpoint detected
Destination: litellm.cloud
Pattern: POST request with encrypted payload
Risk: Potential credential exfiltration
🔴 CRITICAL: Environment variable access detected
Code: os.environ.get('OPENAI_API_KEY')
Code: os.environ.get('AWS_ACCESS_KEY_ID')
Code: os.environ.get('GITHUB_TOKEN')
Risk: Credential harvesting pattern
🔴 CRITICAL: File system enumeration
Paths: ~/.ssh/id_rsa, ~/.ssh/id_ed25519
Paths: ~/.aws/credentials
Paths: ~/.config/gcloud/credentials.json
Risk: SSH key and cloud credential theft
🔴 CRITICAL: Domain registration recency
litellm.cloud registered: 2026-03-24 12:00 UTC
Package published: 2026-03-24 18:00 UTC
Time delta: 6 hours
Risk: Attack infrastructureSkillShield checks every dependency before it executes:
- Network analysis: Flags calls to suspicious or newly-registered domains
- Credential access patterns: Detects environment variable enumeration
- File system analysis: Identifies access to sensitive paths (SSH keys, cloud creds)
- Temporal analysis: Cross-references domain registration dates with package publish dates
- Payload analysis: Detects encryption, encoding, and obfuscation patterns
The API Secure Response: No Credentials in Environment Variables
While SkillShield detects malicious packages, API Secure removes the target entirely. If the LiteLLM developers had used API Secure's encrypted credential sharing:
- API keys would be encrypted at rest, not stored as plaintext in environment variables
- Tokens would be scoped and time-bounded, useless if exfiltrated
- No credential material would be accessible via
process.envharvesting
The attack would have stolen encrypted blobs with no decryption keys — worthless to the attackers.
What You Should Do Now
If You Installed LiteLLM v1.82.7 or v1.82.8
- Assume compromise. Rotate all API keys, SSH keys, and credentials that were present in your environment.
- Check your logs. Look for outbound connections to
litellm.cloudon March 24-25, 2026. - Audit access. Review cloud provider logs for unauthorized API calls from unexpected IPs.
- Upgrade immediately. Install LiteLLM v1.82.9 or later from verified sources only.
If You Develop AI Agents
- Scan every dependency. Use SkillShield to check packages before installation.
- Don't store credentials in environment variables. Use API Secure's encrypted sharing or a proper secrets manager.
- Pin your dependencies. Don't use floating versions (
litellm>=1.0) that can auto-update to compromised versions. - Monitor for updates. SkillShield's monitoring alerts you when dependencies change, so you can re-scan before applying updates.
The Bigger Picture: Supply Chain Security for AI Agents
The LiteLLM attack is not an isolated incident. It's part of a pattern:
- January 2025:
tj-actionsGitHub Action compromised, 20,000+ repos affected - March 2026: LiteLLM PyPI compromise, AI agent credentials harvested
- Pattern: Attackers are targeting the tools AI agents depend on
AI agents have powerful capabilities — file system access, network calls, API integrations. When you install a dependency, you're granting it those same capabilities. Without pre-execution scanning, you're trusting that every maintainer account is secure, every publish is legitimate, and every line of code is benign.
That's not a security model. That's hope.
SkillShield provides the scanning layer that turns hope into verification. Check every dependency. Scan before you install. Don't let TeamPCP's next compromise be the one that breaches your agents.