March 24, 2026
pip install… panic
Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised
Python package turns into secret-stealing gremlin, users cry “not worth it”
TLDR: A popular Python package update reportedly hid an auto-running script that stole secrets, sparking mass uninstalling and key rotations. Commenters are furious, suspicious of weirdly positive replies, and debating whether to abandon the tool or treat this as a broader wake‑up call about software supply chains.
The Python community woke up to a jump-scare: reports say litellm 1.82.8 on PyPI slipped in a hidden startup file that runs a credential thief every time Python boots—no “import” needed. Cue instant chaos. One user summed up the mood: “pretty horrifying… not worth the risk.” Devs scrambled to uninstall, rotate keys, and side-eye every dependency.
Amateur sleuths linked receipts: a detailed write-up at futuresearch.ai and a direct look at the suspect file via PyPI’s inspector (here). The payload? Double-encoded and allegedly vacuuming up everything from cloud keys to SSH secrets before shipping it to a sketchy lookalike domain. People are calling it a supply chain nightmare in plain English: a bad update poisoned the download.
Then came the drama: one commenter asked why the issue thread was flooded with “100+ satisfied slop comments,” implying bots or astroturfing. Another speculated the founder/CTO’s account might’ve been compromised—unconfirmed, but gasoline on the fire. Jokes flew too: “pip install my secrets,” “from litellm import panic,” and “.pth stands for ‘please take hashes.’” Amid the memes, the vibe split: some vow to ditch the tool entirely; others say this is a PyPI-wide wake-up call to audit installs and verify packages. Either way, trust just got torched.
Key Points
- •The litellm==1.82.8 PyPI wheel contains a malicious .pth file that auto-executes on Python startup, requiring no import.
- •Inspection of the wheel reveals litellm_init.pth launching a subprocess to run a double base64-encoded payload.
- •Stage 1 collects extensive secrets: system info, env vars, SSH keys, cloud (AWS/GCP/Azure) creds, Kubernetes/Docker configs, CI/CD and DB credentials, SSL keys, and more.
- •Stage 2 encrypts data with AES-256 (OpenSSL), encrypts the session key with a hardcoded 4096-bit RSA key, archives it, and exfiltrates via curl to https://models.litellm.cloud/.
- •The report states anyone installing litellm==1.82.8 may have had secrets exfiltrated, impacting local machines and CI/CD environments; the attack leverages .pth auto-execution and obfuscation.