According to Andrej Karpathy on Twitter, a malicious litellm release on PyPI was live for a 46-minute window (10:39–11:25 UTC, Mar 24) and threatens 2,112 dependent packages, including DSPy, Open Interpreter, PraisonAI, MLflow, and langchain-litellm, with about 1,403 direct dependents using open version ranges. As reported by the original GitHub disclosure (BerriAI/litellm issue #24512), the payload exfiltrated sensitive data and contained a fork bomb bug that crashed a research machine, leading to discovery. According to BerriAI’s official tracking issue (issue #24518), the maintainers are coordinating incident response and remediation guidance. According to FutureSearch’s blog, the fork bomb error exposed the malware during analysis, enabling rapid containment. As reported by ramimac’s TeamPCP timeline, the broader campaign moved from Trivy to Checkmarx to litellm, with precise timestamps and IOCs for defenders. According to the PyPA advisory (PYSEC-2026-2), the incident is an official security event with indicators for detection and mitigation. As reported by GitGuardian, compromised CI CD secrets via the Trivy breach enabled the token theft that led to the PyPI account compromise; Wiz further links the activity to TeamPCP’s attack on Checkmarx KICS. According to downstream project issues and PRs, DSPy and MLflow issued emergency pins to block the compromised versions, indicating immediate supply chain impact. For AI teams, the business-critical actions are to pin litellm to known-good versions, rotate all PyPI and CI CD secrets, audit build logs for the 46-minute window, and deploy SBOM-based dependency allowlisting to prevent future poisoned package pulls.