OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
supply chain / litellm

LiteLLM

registryPyPI
package namelitellm
maintainerBerriAI

LiteLLM is a unified Python client that translates requests across 100+ LLM providers (OpenAI, Anthropic, Bedrock, Vertex AI, and others) behind a single API surface. It is used as the LLM gateway layer in many production AI agent systems and autonomous pipelines. The package intercepts every prompt, response, and tool call that passes through the agent stack.

api usage

Checking LiteLLM

litellm 1.82.7 is a confirmed malicious publish. Use it to test your integration end-to-end. The response below reflects what Attestd returns for a compromised version.

bash
curl "https://api.attestd.io/v1/check?product=litellm&version=1.67.0" \
  -H "Authorization: Bearer YOUR_API_KEY"
json
{
  "product": "litellm",
  "version": "1.82.7",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": true,
    "sources": [
      "osv",
      "registry"
    ],
    "malware_type": "malicious_package",
    "description": "TeamPCP supply chain attack: a malicious version contained a credential stealer in proxy_server.py targeting LLM provider API keys. Published at 10:39 UTC and removed within six hours after community detection.",
    "advisory_url": "https://docs.litellm.ai/blog/security-update-march-2026",
    "compromised_at": "2026-03-24T10:00:00Z",
    "removed_at": "2026-03-24T18:30:00Z"
  },
  "last_updated": "2026-05-01T00:00:00Z"
}
attack surface

Why this package is monitored

LLM gateway packages see all plaintext prompts and model responses before any output filtering runs. A compromised version can silently exfiltrate conversation history, injected tool results, and any API keys embedded in system prompts.

Attestd monitors litellm using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

known incident

Confirmed malicious publish

version1.82.7
date2026-03-24
descriptionTeamPCP supply chain attack: a malicious version contained a credential stealer in proxy_server.py targeting LLM provider API keys. Published at 10:39 UTC and removed within six hours after community detection.
sourcesosvregistry
advisoryhttps://docs.litellm.ai/blog/security-update-march-2026
related
Supply chain overviewAll PyPI packagesLangChainOpenAI SDK (Python)Anthropic SDK (Python)Response fields