AI Autopsy: The LiteLLM Backdoor Shows Why AI Gateways Are Prime Supply-Chain Targets

There is a short version of the LiteLLM story. A popular open-source AI package was backdoored, and attackers stole secrets. Security teams were told to rotate credentials and move on. But the longer version is more interesting.

The LiteLLM campaign sits at the intersection of several trends at once. AI tooling is moving rapidly into production. Sensitive credentials are collecting around gateways. And supply-chain attackers are increasingly advancing from throwaway typo-squats to better-known packages with a far larger blast radius.

Not just another bad PyPI release

According to Endor Labs, the malicious releases of LiteLLM carried a three-stage attack chain: credential harvesting, attempted lateral movement across Kubernetes clusters and a persistent backdoor. Version 1.82.8 was the more aggressive of the two because it added a .pth file that could run the payload on any Python invocation, even if LiteLLM itself was never imported. The hackers targeted SSH keys, cloud credentials, Kubernetes secrets, .env files, database configurations, TLS keys and CI/CD secrets.

Additional research by Wiz suggests the incident did not stop at theft. The company said it observed the stolen secrets being validated and then used in follow-on operations, including AWS discovery, GitHub workflow abuse, ECS Exec activity and further exfiltration. In some cases, it said, discovery began within 24 hours of the initial theft.

Ben Read, director of strategic threat intelligence at Wiz, tells Assured Intelligence that the key sign this had moved beyond simple credential theft was that exfiltrated secrets were soon being used from separate infrastructure in fresh operations. He argues that the biggest mistake defenders can make is to treat the incident as “just a bad package version” rather than a broader compromise of cloud, code and runtime environments.

Why LiteLLM was worth the effort

Endor’s public analysis places the compromise within a broader TeamPCP campaign that it said has already spread across multiple ecosystems, including GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI. It explained that the threat actor targeted security-adjacent tools such as Trivy and Checkmarx KICS before moving on to the LLM proxy server and AI gateway.

“The tradecraft is becoming more sophisticated and the popularity of the packages being hit is becoming more important” Henrik Plate

In fact, separate research claims the attack vector for the LiteLLM campaign was “almost certainly” the Trivy CI/CD compromise, which enabled TeamPCP to harvest LiteLLM’s PyPI publishing token. Three days after LiteLLM, the same actor was tied to a fresh compromise of Telnyx on PyPI.

Henrik Plate, head of security research at Endor Labs, tells Assured Intelligence that the bigger picture is worth taking seriously. “The tradecraft is becoming more sophisticated, and the popularity of the packages being hit is becoming more important,” he says. He points to a move away from the lower-impact world of typo-squatted packages towards attacks on visible, legitimate projects with a far greater reach. He also suggests that once attackers harvest large volumes of credentials, the campaign is unlikely to stop with a single project.

Plate explains that LiteLLM was attractive for simple reasons. It is popular, and it sits close to valuable secrets. Because it acts as a router between users and multiple LLM providers, it is exactly the kind of component likely to have API tokens and cloud access nearby. That makes it a high-value target, whether or not an attacker is especially interested in AI as a category.

Wiz’s Read makes a similar point. In his view, LiteLLM mattered because it sits in a critical layer of the AI stack. But more importantly, it lives where “the most sensitive material accumulates”, including API keys, model credentials and downstream cloud access.

A control-plane problem dressed as an AI story

Greg Crowley, CISO at eSentire, tells Assured Intelligence that this should be treated as “a credential exposure event”, not a package clean-up exercise. In his view, the bigger lesson is that this is “a classic supply chain and identity hygiene problem wearing an AI label”, albeit one amplified by the fact that these systems often sit closer to sensitive data and production workflows.

“AI credentials are the real payload” Conor Sherman

Crowley adds that incidents like this should change how teams treat AI gateways and orchestration components. Rather than viewing them as mere tooling, he argues that they should be considered part of the control plane because they aggregate credentials, broker access to models and sit in the middle of sensitive data flows.

Conor Sherman, CISO in residence at Sysdig, frames the incident in similarly blunt terms. “Those credentials are the real payload,” he tells Assured Intelligence, arguing that the first hour of incident response should focus on containment, egress control and rapid credential rotation. Sherman adds that AI pipelines have become “connective tissue”, pulling together model credentials, cloud APIs, Kubernetes secrets and CI/CD tokens in a way that can dramatically expand the blast radius.

What CISOs should do now

Given this context, the question becomes: “What should defenders actually change?”

Endor Labs’ Plate starts with package-consumption hygiene. He explains that two of the most effective mitigations are cooldown periods before newly published packages can be consumed and trusted publishing controls that reduce the risk of a compromised build or release path. He also argues for leaner production to build pipelines, warning that sprawling build workflows increase the attack surface and often run with shared privileges.

“This is a classic supply chain and identity hygiene problem wearing an AI label” Greg Crowley

The emphasis for eSentire’s Crowley is more squarely on identity. He says short-lived credentials and workload identity remain major gaps, and that while organisations may not be able to stop every bad package, they can do much more to reduce what can be stolen.

Sysdig’s Sherman pushes the same point further into runtime. Pinned dependencies, package mirrors and egress controls all help, he says. But without runtime visibility, many teams still cannot answer the question that matters most during incidents like this: Is this workload doing something it should not be doing?

This is probably the clearest lesson from LiteLLM. The compromise appears to fit a widening campaign targeting software that sits close to secrets, trust relationships, and privileged automation. In that sense, the AI angle is real, but not because the model itself was attacked. It is real because the surrounding AI plumbing is becoming a more attractive place to steal access from. Endor’s public reporting and Wiz’s post-compromise tracking all point in that direction.

For CISOs, the advice is rudimentary. Remove the affected package versions. Rotate exposed credentials. Hunt for persistence. Review cloud, CI/CD and container access. But the broader takeaway may be the more important one: AI gateways now look much less like convenience software and much more like control-plane infrastructure. Attackers appear to have noticed.