| Date |
Event |
| March 1, 2026 |
Aqua Security (Trivy maintainer) suffers initial breach. Incomplete credential rotation enables attacker access. |
| March 19, 2026 |
TeamPCP compromises Trivy vulnerability scanner via supply chain attack. |
| March 23, 2026 |
TeamPCP compromises Checkmarx KICS GitHub Action. |
| March 23, 2026 |
Attacker registers malicious domain litellm.cloud via Spaceship, Inc. (note: official domain is litellm.ai). |
| Date/Time (UTC) |
Event |
| March 24, ~08:30 |
Malicious version 1.82.7 published to PyPI using compromised account krrishdholakia. Contains payload in litellm/proxy/proxy_server.py (12 lines injected at line 128). |
| March 24, ~08:30 |
Malicious version 1.82.8 published to PyPI. Contains both the proxy_server.py payload AND a new litellm_init.pth file (34,628 bytes) that executes on every Python startup. |
| March 24, ~10:52 |
Version 1.82.8 fully propagated on PyPI. |
| Date/Time (UTC) |
Event |
| March 24, ~12:00 |
FutureSearch detects anomaly: MCP plugin in Cursor pulls litellm as transitive dependency, machine runs out of RAM. |
| March 24, 13:48 |
Security issue disclosed publicly on GitHub (Issue #24512). |
| March 24, ~14:00 |
Additional issues filed: #24518 (full timeline), #24521 (SECURITY label). |
| March 24, ~15:00 |
PyPI yanks versions 1.82.7 and 1.82.8. |
| March 24, ~16:00 |
PyPI quarantines entire litellm package (all versions). |
| March 24 |
Endor Labs publishes full analysis attributing attack to TeamPCP. |
| March 24 |
LiteLLM team engages Google Mandiant. Maintainer credentials rotated (new accounts: @krrish-berri-2, @ishaan-berri). |
| March 24 |
PYSEC-2026-2 advisory published. |
| March 24 |
Downstream projects pin versions (e.g., mlflow/mlflow#21971 pins litellm<=1.82.6). |
A commit pushed to one of the LiteLLM maintainer's forked repositories reads:
"teampcp owns BerriAI"