LiteLLM, an open-source Python package widely used by artificial intelligence systems, has been compromised by hackers in a supply chain attack that researchers say could impact tens of thousands of corporate environments.

Compromised versions of the package (identified as 1.82.7 and 1.82.8) were published on the Python Package Index on Tuesday and unwittingly downloaded into development and cloud environments, according to security researchers.

Experts at Sonatype said the compromised packages were available for at least two hours on March 24, adding that “given the package’s three million daily downloads” the hackers could have reached a “significant” number of victims during that time.

The incident highlights growing concerns over the security of the open-source software supply chain, where widely-used tools maintained by small teams can provide a gateway into thousands of organizations if compromised.

Last year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and software company Red Hat issued an urgent alert about a backdoor embedded in the XZ Utils tool.

Similar attacks, including the Shai Hulud worm, have seen attackers target software dependencies trusted by developers in order to scale their intrusions far beyond a single victim, embedding malicious code deep inside corporate systems.

In the liteLLM incident, the hackers introduced malicious code to the legitimate software package. How they managed to do so is unclear, although researchers say compromising a maintainer’s account is the most likely as the malicious versions were uploaded using valid publishing access.

The manipulated packages contained malicious code designed to extract sensitive data — including cloud credentials, API keys and cryptocurrency wallets — and maintain access by installing a persistent downloader allowing the attackers to gain deeper access and carry out follow-on intrusions.

Adam Reynolds, senior security researcher at Sonatype, said his team identified some unusual behaviours from the malware, including that it only reaches out to its command endpoint every 50 minutes.

That long delay could help evade sandbox environments that typically execute samples for shorter periods, or it could function as a heartbeat mechanism allowing the operators to distinguish real targets from researchers attempting to probe their infrastructure.

“In some cases the response from the server only contained a link to a song hosted on YouTube, which reinforces the idea that payload delivery is being selectively controlled,” said Reynolds.

It is not known how many organizations have been impacted by the incident, but Wiz Research estimated the package was present in roughly 36% of all cloud environments. Users have been warned to treat any credentials exposed in affected environments as potentially compromised.

Wiz researchers say the incident is part of a broader campaign claimed by a group calling itself TeamPCP, which uses a public Telegram channel to propagandize and solicit business from other cybercriminals.

“This isn’t just credential theft,” said Ben Read, director of strategic threat intelligence at Wiz. “By moving across widely used tools, they are creating a ‘snowball effect’ that enables further compromise.”

TeamPCP has previously claimed responsibility for an attack affecting Aqua Security’s Trivy vulnerability scanner — an incident confirmed by the company — and claims to be working with several other cybercriminal organizations, although this has not yet been confirmed.

The group said it intends to continue targeting widely-used open-source projects, although its claims could not be verified and such groups often overstate their successes.

A Telegram account claiming to be the group’s new leader said on Wednesday it was “actively sorting through the credential sets, this is an astronomical amount even for the man power and operational capacity between the teams, it will all be worth it though.”

While there have been no publicly-confirmed reports of widespread exploitation tied to the liteLLM incident, security experts warned that the downstream risks could be significant if stolen credentials are reused in subsequent attacks.

“For most individuals, the immediate risk is low unless they directly installed the affected versions,” said Reynolds. “This is first and foremost a supply chain compromise targeting developers, organizations, and technical environments using litellm. However, the downstream impact is where things get more serious.

“If organizations were compromised, the individuals whose data they hold could absolutely be affected. Because the malware targets such a broad range of credentials and litellm is widely used, this creates the potential for second- and third-order effects that may ripple outward over time, leading to further breaches, service disruptions, or misuse of sensitive data well beyond the initial point of compromise,” said Reynolds.

“This isn’t an isolated incident; it’s a systemic campaign,” Read said. “It will likely continue.”

Additional reporting by Jonathan Greig.