Technical description
Following a March 2026 PyPI supply-chain attack on liteLLM, maintainers disclosed two high-severity issues (both requiring a valid proxy API key) and released v1.83.0 with a hardened CI/CD v2 pipeline, isolated build envs, and tighter release gating.
Attack vector
Supply chain via trojanised PyPI package (March); authenticated-proxy flaws (current disclosures).
Affected systems
LiteLLM users who installed compromised versions between ~March 1-15, 2026; current issues require valid proxy API key.
Mitigation
Check for litellm_init.pth indicator of compromise; rotate potentially exposed secrets; upgrade to v1.83.0+; add dependency verification and CI/CD access controls.