How Automic Vault would have prevented the LiteLLM PyPI compromise.

Date

March 24, 2026

Trigger

litellm 1.82.7 ran through package code; 1.82.8 added a Python .pth startup hook.

Local targets

~/.ssh, cloud credential files, environment variables, Kubernetes tokens, database passwords, and .env-style secrets.

Follow-on behavior

Data exfiltration to a lookalike LiteLLM domain plus persistence under user config and systemd paths.

On March 24, 2026, malicious LiteLLM releases 1.82.7 and 1.82.8 reached PyPI. Public analysis from Datadog and Snyk ties the poisoned releases to a wider TeamPCP supply-chain campaign that first stole publishing material through other developer tooling.

The high-risk version was 1.82.8 because the attacker added a Python .pth file. Python processes load .pth files from site-packages during interpreter startup, so the malware did not need a developer to explicitly import LiteLLM in the application path. A normal local Python startup in the affected environment could trigger collection.

The payload looked for the exact files developers tend to leave on a Mac or Linux workstation: SSH keys, cloud CLI credentials, Kubernetes material, database passwords, shell-adjacent secrets, and environment variables. That is why this was not only a package integrity incident. It was a local developer credential theft incident.

The core failure was ambient authority. Once the package executed, it ran as the developer and could read the same home-directory files the developer could read. PyPI quarantine shortened the exposure window, but quarantine happened after the malicious code had already reached some machines.

A lockfile, vulnerability scanner, or registry advisory can tell you that a bad release exists. It cannot un-read SSH keys, cloud tokens, or kubeconfig from a machine where the payload has already run. Prevention has to happen before package code can touch those files.

Automic Vault would have prevented the damaging phase by changing the default: package code gets the project and approved tool context, not the developer account as a readable secret store.

In an Automic Vault setup, the poisoned wheel could still arrive from PyPI. The difference is what happens next. The startup hook would run inside a machine where important credentials have been moved behind a local broker, sensitive tool use requires approval, and suspicious package state is visible as a local hazard.

That means the attacker would have had to defeat the local runtime boundary instead of merely reading files. For this incident, that boundary is the difference between a bad package install and a full credential rotation event.

Automic Vault does not claim to make npm, PyPI, GitHub Actions, or extension marketplaces impossible to compromise. The prevention claim is narrower and more useful: compromised tools should not inherit every credential and sensitive path on a developer machine.