AI under attack: Popular library for developers compromised

On March 24, 2026, while developers continued working with AI tools, the popular Python library LiteLLM on PyPI was quietly poisoned. GetBlock AML Research has released an overview of what appears to be the first major attack targeting a widely used tool for AI developers.

LiteLLM is an open-source library downloaded up to 97 million times per month. Early that morning, attackers modified its repository and released two compromised versions — 1.82.7 and 1.82.8. Within just three hours, tens of thousands of developer machines and corporate systems may have been exposed to data leaks. Unlike typical breaches, this was not a one-off hack but a carefully orchestrated attack chain.

Overview of the largest NPM attack in history: what it is and how it relates to crypto

Malicious code was embedded in specialized packages for developers that are used to create global Internet infrastructure

Читать дальше

Overview of the LiteLLM Attack

The root cause wasn’t a flaw in LiteLLM itself. The issue ran deeper: the security scanning tool Trivy, used in the automated build and release process, was compromised.

Attack Timeline

• March 19: Attackers injected malicious code into Trivy by altering its components.
• March 23: Another security tool was compromised, setting the stage for the next phase.
• March 24: During LiteLLM’s automated build, the already infected Trivy was used. As a result, attackers stole a publishing key and bypassed the standard release process to push malicious versions of the library.

Initially, the attack was meant to remain undetected. However, a bug in the malicious code caused it to repeatedly execute, overloading memory and triggering system crashes. This unintended behavior helped expose the attack earlier than planned. Otherwise, it could have gone unnoticed for weeks.

Technical details of the LiteLLM attack

How the Malware Worked

The attack was multi-stage and far more dangerous than typical incidents.

Stage one: data collection. The malware searched for virtually anything valuable on infected systems: access keys, command history, configurations, database credentials, cloud service data, and even crypto wallet files.

It’s important to note that LiteLLM often acts as a gateway to multiple AI services. This means systems may store access keys for several platforms at once. Gaining access to them effectively opens the door to a company’s internal infrastructure.

Stage two: data exfiltration. All collected data was encrypted and sent to a fake server controlled by the attackers. The domain appeared legitimate but was not affiliated with the project. Reports indicate around 300 GB of data was stolen, including roughly 500,000 credentials.

Stage three: persistence. A hidden file was created to maintain ongoing access. Even if the library was removed, the malicious component could continue running in the background.

In corporate environments, attackers could move laterally, spreading access to other servers and systems. A single infected machine could become an entry point into an entire network.

Why This Attack Matters

The goal wasn’t just disruption — it was stealthy access to large volumes of sensitive data: passwords, API keys, and system credentials.

This sets a dangerous precedent for several reasons. First, the attack didn’t target a specific company but a widely used tool, meaning thousands of organizations could have been affected at once.

Second, the infection happened automatically. Simply updating a library or installing a dependency could trigger it, without any warning signs.

Third, the malware was designed to remain hidden and persist even after removal, making detection significantly more difficult.

Potential Impact

Although the compromised versions have been removed, the последствия may linger. One major risk is hidden backdoors. Users may believe they are safe after removing the library, while malicious code continues to run.

The second-largest attack on the NPM infrastructure: why did it happen again?

Developers of popular software solutions, which are widely used in the creation of large services and corporate solutions, have fallen victim to attackers.

Читать дальше

There is also a risk of a chain reaction. Stolen data can be used to breach other systems, creating a domino effect. Additionally, LiteLLM is used as a dependency in over 2,000 projects, meaning many developers may have installed the compromised version indirectly without realizing it.

What You Should Do

Users are strongly advised to check their LiteLLM version and remove any compromised releases.

It’s also critical to rotate all access keys, passwords, and sensitive credentials, as they may have been exposed. Going forward, developers should pin dependency versions and place greater emphasis on securing build and release pipelines.

Hackers Are Targeting AI Developers

The LiteLLM attack highlights how fragile modern digital infrastructure can be. Even if core code is secure, a weak link in the supply chain can lead to serious consequences.

This case is a reminder that security depends not just on a single product, but on the entire ecosystem around it. Ignoring these risks can result in data breaches, financial losses, and loss of control over systems.