PYSEC-2026-2

After an API Token exposure from an exploited Trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API.

The malicious code runs during importing any module from the package and scans the file system and environment variables, collecting all kinds of sensitive data, including but not limited to private SSH keys, credentials to Git and Docker repositories, dotenv files, tokens to Kubernetes service accounts, databases and LDAP configuration. Also exfiltrated are multiple shell history files and cryptowallet keys. The malware actively attempts to obtain cloud access tokens from metadata servers and retrieve secrets stored in AWS Secrets Manager. All collected data are sent to the domain models.litellm[.]cloud

Furthermore, the code includes a persistence mechanism by configuring a SystemD service unit masqueraded as "System Telemetry Service" on the host it runs on, and in a Kubernetes environment also by creating a new pod. The persistence script then contacts hxxps://checkmarx[.]zone/raw for further instructions.

Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate them accordingly. The affected environment should be isolated and carefully reviewed against any unexpected modifications and network traffic.