According to Andrej Karpathy on Twitter, a malicious litellm release on PyPI was live for a 46-minute window (10:39–11:25 UTC, Mar 24) and threatens 2,112 dependent packages, including DSPy, Open Interpreter, PraisonAI, MLflow, and langchain-litellm, with about 1,403 direct dependents using open version ranges. As reported by the original GitHub disclosure (BerriAI/litellm issue #24512), the payload exfiltrated sensitive data and contained a fork bomb bug that crashed a research machine, leading to discovery. According to BerriAI’s official tracking issue (issue #24518), the maintainers are coordinating incident response and remediation guidance. According to FutureSearch’s blog, the fork bomb error exposed the malware during analysis, enabling rapid containment. As reported by ramimac’s TeamPCP timeline, the broader campaign moved from Trivy to Checkmarx to litellm, with precise timestamps and IOCs for defenders. According to the PyPA advisory (PYSEC-2026-2), the incident is an official security event with indicators for detection and mitigation. As reported by GitGuardian, compromised CI CD secrets via the Trivy breach enabled the token theft that led to the PyPI account compromise; Wiz further links the activity to TeamPCP’s attack on Checkmarx KICS. According to downstream project issues and PRs, DSPy and MLflow issued emergency pins to block the compromised versions, indicating immediate supply chain impact. For AI teams, the business-critical actions are to pin litellm to known-good versions, rotate all PyPI and CI CD secrets, audit build logs for the 46-minute window, and deploy SBOM-based dependency allowlisting to prevent future poisoned package pulls.

According to @galnagli on X, a malicious update chain linked from a prior Trivy compromise led to LiteLLM versions 1.82.7 and 1.82.8 shipping an infostealer that exfiltrated credentials to a command and control domain models.litellm.cloud, putting tens of thousands of environments at risk; as reported by the BerriAI LiteLLM maintainers on GitHub issue #24512, affected users should rotate API keys and credentials immediately, audit outbound traffic to the noted C2, and pin trusted versions to break the compromise loop across AI infrastructure. According to @ramimacisabird, the incident demonstrates cascading open source supply chain risk where stolen secrets from AI application layers can trigger the next breach, emphasizing the need for reproducible builds, registry signing, SBOMs, and secret-scoping for LLM connectors in production.