This notice is not related to the CircleCI product. We are sharing it as a courtesy to help our customers protect their environments and follow security best practices.
What happened
On March 24, 2026, two compromised versions of the LiteLLM Python package (v1.82.7 and v1.82.8) were published to PyPI after a maintainer account was reportedly compromised. The malicious packages contained a credential stealer, a .pth file (litellm_init.pth) that executes automatically (without requiring import statements) whenever any Python interpreter starts on the affected system. Upon execution, the malicious file harvested environment variables, cloud provider credentials, SSH keys, and other secrets, then exfiltrated them to models.litellm[.]cloud — a domain not affiliated with LiteLLM.
This incident appears linked to the same threat actor (TeamPCP) behind the recent Trivy supply chain compromise.
The compromised packages have been removed from PyPI. For full technical details and LiteLLM’s own response — which should be treated as the authoritative source — see BerriAI’s advisory.
Are CircleCI customers impacted?
Probably not. Our security team has investigated CircleCI’s own infrastructure and found no evidence of compromise. However, you may be individually impacted if your CI/CD pipelines independently install LiteLLM as a dependency. We encourage you to review LiteLLM’s advisory and take the precautionary steps below.
You may be impacted if
- Your pipelines ran pip install litellm without a pinned version between approximately 10:39 UTC and 16:00 UTC on March 24, 2026
- You built a Docker image during this window that included an unpinned pip install litellm
- A dependency in your project pulled in LiteLLM as a transitive, unpinned dependency — this can occur in AI agent frameworks, MCP servers, and LLM orchestration tooling
You are probably not impacted if
- You run LiteLLM Cloud (hosted service)
- You use the official LiteLLM Docker image (ghcr.io/berriai/litellm)
- You are pinned to v1.82.6 or earlier and did not upgrade during the affected window
- You installed LiteLLM from source via the GitHub repository (which was not compromised)
Indicators of compromise
- litellm_init.pth present in your Python site-packages directory
- DNS or network connections to models.litellm[.]cloud (not affiliated with LiteLLM)
Recommended actions
If you installed or ran v1.82.7 or v1.82.8:
- Rotate all secrets that were present on affected systems. This includes CI/CD tokens, cloud provider credentials, API keys, SSH keys, database passwords, and any secrets injected via contexts or environment variables.
- Pin your installation to v1.82.6 (or a forthcoming verified release) and validate the package checksum before deploying.
- Check for IOCs — look for litellm_init.pth in site-packages and inspect DNS/network logs for connections to models.litellm[.]cloud.
- Review audit logs — inspect cloud provider logs (e.g., AWS CloudTrail, GCP Audit Logs) for unexpected activity from roles or credentials used in your CI pipelines.
- See our guide on token rotation best practices.
For the latest updates and full technical detail, please refer to LiteLLM’s advisory, which is the authoritative source for this incident.
If you have questions, please reach out to your Technical Success Manager or visit support.circleci.com.