LiteLLM Hacker Poisoning Incident: 500,000 Credentials Leaked, Cryptocurrency Wallets at Risk of Being Stolen, How to Check if You've Been Affected?

Author: HIBIKI, Crypto City

LiteLLM suffers a supply chain attack, with hundreds of GB of data and 500,000 credentials leaked
The AI open-source package LiteLLM, with a daily download rate of up to 3.4 million, is an important bridge for many developers connecting multiple large language models (LLMs), but it has recently become a target for hackers. Kaspersky estimates that this wave of attacks has put over 20,000 code repositories at risk, with hackers claiming to have stolen hundreds of GB of confidential data and over 500,000 account credentials, causing serious disruptions to global software development and cloud environments.
After tracing back the incident, cybersecurity experts found that the source of the LiteLLM hacking event was the open-source security tool Trivy, which many enterprises use to scan for system vulnerabilities.
This is a typical nested supply chain attack, where hackers target upstream trusted tools that the victim relies on, quietly embedding malicious code, akin to poisoning the water supply of a water treatment plant, causing all consumers to unknowingly fall victim.

Source: Trivy ｜ The source of the LiteLLM hacking incident was the open-source security tool Trivy, which many enterprises use to scan for system vulnerabilities.

The full process of the LiteLLM attack: from security tools to cascading explosions in AI packages
According to analyses by cybersecurity companies Snyk and Kaspersky, the LiteLLM attack was seeded as early as the end of February 2026.
Hackers exploited a vulnerability in GitHub’s CI/CD (a process for automating software testing and deployment) to steal the access token of Trivy maintainers. Since the tokens were not completely revoked, hackers successfully altered Trivy’s release tags on March 19, allowing the automated process to download a scanning tool containing malicious code.
Subsequently, hackers used the same method to take control of LiteLLM’s release rights on March 24 and uploaded versions 1.82.7 and 1.82.8 containing malicious code.
At this time, developer Callum McMahon, while testing an extension for the Cursor editor, found that the system automatically downloaded the latest version of LiteLLM, causing his computer resources to be instantly depleted.
Through debugging with the AI assistant, he discovered a flaw in the malicious code that accidentally triggered a fork bomb, which is a type of malicious behavior that continuously self-replicates and consumes computer memory and computational resources, which exposed this covert attack prematurely.
According to Snyk’s analysis, the malicious code in this attack is divided into three stages:

• Data Collection: The program comprehensively scrapes sensitive information from the victim’s computer, including SSH remote connection keys, cloud service (AWS, GCP) access tokens, and seed codes for cryptocurrency wallets like Bitcoin and Ethereum.
• Encryption and Leakage: The collected data is encrypted and packaged, then secretly sent to a spoofed domain pre-registered by the hackers.
• Persistent Presence and Lateral Movement: The malicious program implants a backdoor in the system, and if it detects Kubernetes, an open-source platform for automating deployment and management of containerized applications, it will also attempt to spread the malicious program to all nodes in the entire cluster.

Timeline of the LiteLLM and Trivy supply chain attack

Is your wallet and credentials secure? Detection and remediation guide
If you installed or updated the LiteLLM package after March 24, 2026, or if your automated development environment used the Trivy scanning tool, your system is highly likely compromised.
According to Callum McMahon and Snyk’s recommendations, the primary task for protection and remediation is to confirm the scope of the compromise and thoroughly block the hackers’ backdoor.

Kaspersky suggests that to enhance the security of GitHub Actions, the following open-source tools can be used:

• zizmor: This is a tool for static analysis and detecting misconfigurations in GitHub Actions.
• gato and Gato-X: These two versions of the tool are mainly used to help identify vulnerabilities in the structure of automated process pipelines.
• allstar: Developed by the Open Source Security Foundation (OpenSSF), this GitHub application is specifically designed to set and enforce security policies in GitHub organizations and repositories.

Behind the LiteLLM attack, hackers have long been eyeing the lobster farming craze
According to analyses by Snyk and engineer Huli, who focuses on cybersecurity, the mastermind behind this incident is a hacker group named TeamPCP, which has been active since December 2025 and frequently creates channels for activity through messaging apps like Telegram.
Huli pointed out that during the attack, the hackers used an automated attack component named hackerbot-claw. This name cleverly aligns with the recent trend of lobster farming (OpenClaw) AI agents that have gained popularity in the AI community.
These hackers specifically targeted widely used infrastructure tools with high permissions, including Trivy and LiteLLM, and knew how to leverage the latest AI trends to expand the scale of their attacks, demonstrating a highly organized and targeted criminal methodology.

Source: Huli Casual Chat ｜ Engineer Huli discussing the Trivy and LiteLLM supply chain attack incident (partial screenshot)

As AI tools become more prevalent, permission control and supply chain security in development processes have become risks that all enterprises cannot afford to ignore.
Incidents like the recent hacking of a notable developer’s NPM account, which led to malicious code being injected into JavaScript packages, putting many DApps and wallets at risk; or Anthropic revealing that Chinese hackers launched the first large-scale AI automated cyber espionage operation through Claude Code, serve as important warnings.