A supply chain attack on LiteLLM was discovered on March 24, 2026, when malicious versions 1.82.7 and 1.82.8 were uploaded to PyPI. The attack was live for approximately three hours before PyPI quarantined the packages. The compromised library is a transitive dependency for many AI agent frameworks, MCP servers, and LLM orchestration tools — putting the MCP ecosystem’s 97 million installs in the blast radius.
How the Attack Worked
A threat group called “TeamPCP” obtained the LiteLLM maintainer’s PyPI credentials through a prior compromise of Trivy, an open-source security scanner used in LiteLLM’s CI/CD pipeline. The attackers bypassed official CI/CD and uploaded malicious packages directly to PyPI.
According to Trend Micro’s analysis, the attack deployed a three-stage payload: (1) credential harvesting from environment variables, (2) Kubernetes lateral movement using stolen configs, and (3) a persistent backdoor via a malicious .pth file that executes on every Python process startup. The backdoor enabled remote code execution on any system that imported the compromised package.
The MCP Connection
The attack was discovered when the compromised package was pulled as a transitive dependency by an MCP plugin running inside Cursor IDE. LiteLLM provides the model-routing layer that many MCP servers use to connect to multiple LLM providers — making it a high-value target for supply chain attacks.
MCP crossed 97 million installs in March 2026 with 10,000+ active servers. A compromised dependency at the infrastructure level means AI agents could be manipulated through their own tooling — the very layer designed to make them capable becomes the attack surface.
Immediate Remediation
Organizations affected should: remove litellm versions 1.82.7 and 1.82.8, purge pip and uv caches, rotate all credentials (SSH keys, cloud provider credentials, Kubernetes configs, API keys, database passwords), and audit logs for suspicious outbound connections during the three-hour exposure window.
