LiteLLM Package Compromised to Steal API Keys

Over 2,000 downloads occurred during the 90-minute window when malicious versions of LiteLLM sat on the Python Package Index, targeting developers’ API credentials for major AI platforms.

Attack Timeline and Scope

On January 3, 2025, attackers published compromised versions 1.52.0 through 1.52.4 of LiteLLM, a widely-used Python library that provides a unified interface for calling multiple LLM providers. The malicious packages contained code designed to exfiltrate API keys for OpenAI, Anthropic, Cohere, and other AI services to a remote server controlled by the attackers.

Security researchers at Socket detected the supply chain attack within hours of publication. The malicious code was embedded in the package’s initialization routines, executing automatically whenever developers imported the library. BerriAI, the company maintaining LiteLLM, worked with PyPI administrators to remove the compromised versions and published clean releases starting with version 1.52.5.

The attack exploited compromised PyPI credentials rather than a vulnerability in LiteLLM itself. This represents a growing trend in software supply chain attacks, where adversaries target package maintainer accounts to inject malicious code into legitimate, trusted libraries.

Technical Details

The malicious code operated through a multi-stage payload. Upon import, the compromised package scanned environment variables and configuration files for API keys matching patterns associated with major LLM providers. The exfiltration mechanism used HTTPS POST requests to https://api-collect-data[.]com, disguising the traffic as legitimate API calls.

Analysis of the malicious code revealed several obfuscation techniques. Variable names were randomized, and the exfiltration logic was split across multiple functions to avoid detection by static analysis tools. The attackers also implemented a delay mechanism, waiting 5-10 seconds after import before initiating the key theft to reduce the likelihood of immediate detection during testing.

The compromised versions maintained full backward compatibility with legitimate LiteLLM functionality. Applications using the malicious package would continue operating normally, making the attack difficult to detect through functional testing alone. Only network monitoring or detailed code inspection would reveal the unauthorized data transmission.

Socket’s detection relied on behavioral analysis that flagged the unexpected network connections and environment variable access patterns. The security firm maintains automated scanning of new PyPI uploads, checking for suspicious behaviors that deviate from a package’s historical patterns.

Practical Impact

Organizations using LiteLLM during the compromise window face potential exposure of their AI service credentials. Stolen API keys grant attackers access to paid AI services, enabling them to rack up charges on victim accounts or use the credentials for their own projects. More concerning, API keys often provide access to conversation histories and custom model fine-tuning data, potentially exposing proprietary information.

The incident highlights vulnerabilities in modern development workflows. Continuous integration pipelines that automatically update dependencies could have pulled the malicious versions without manual review. Developers who installed updates during the 90-minute window may have inadvertently compromised their credentials even if they later upgraded to clean versions.

BerriAI recommended that all users who installed versions 1.52.0 through 1.52.4 immediately rotate their API keys for all LLM providers. The company also implemented additional security measures, including two-factor authentication requirements for PyPI publishing and signed releases using cryptographic signatures.

The attack demonstrates the cascading risks in software dependencies. LiteLLM serves as a foundation for numerous AI applications and frameworks. Any downstream projects using the compromised versions inherited the vulnerability, potentially multiplying the number of affected systems beyond the initial 2,000 downloads.

Outlook

This incident will likely accelerate adoption of software supply chain security tools. Package managers are exploring enhanced verification mechanisms, including mandatory code signing and anomaly detection for unusual package updates. PyPI has already announced plans to require two-factor authentication for maintainers of critical packages by mid-2025.

The attack pattern suggests increasing sophistication among adversaries targeting AI infrastructure. As organizations invest heavily in LLM integration, the value of API credentials grows, making them attractive targets. Security teams must treat API keys with the same rigor as database credentials or authentication tokens.

Dependency pinning and software bill of materials (SBOM) tracking will become essential practices. Rather than accepting automatic updates, development teams should implement review processes for dependency changes, particularly for packages with access to sensitive credentials. The LiteLLM compromise serves as a stark reminder that trust in open-source ecosystems requires continuous verification, not assumption.