LiteLLM Supply Chain Attack — PyPI Packages Compromised

TeamPCP compromised LiteLLM versions 1.82.7 and 1.82.8 on PyPI, injecting an infostealer that harvested plaintext API keys, SSH credentials, and .env files from developer machines. Both versions have been yanked. If your CI installed LiteLLM in the last 36 hours, rotate every secret in scope and audit egress logs. This is exactly why dependency pinning and hash verification matter.