Error 500 (Server Error)!!1500.That’s an error.There was an error. Please try again later.That’s all we know.

A security proxy for AI coding agents, enforced at the OS level. Register your interest to be notified when we go live. On March 24, LiteLLM versions 1.82.7 and 1.82.8 on PyPI were confirmed compromised.12 The package has 40,000+ GitHub stars and is the LLM routing layer sitting inside Cline, OpenHands, and dozens of other AI agent frameworks. Anyone who installed either version has had their SSH keys, cloud credentials, API tokens, and environment variables collected and sent to an attacker-controlled server. The LiteLLM maintainer posted on Hacker News within the hour: "Looks like this originated from the trivy used in our ci/cd."1 That is not a coincidence. We documented the seed event for this attack in our March 18 post on the Trivy compromise. What has happened since is not a separate incident. It is the same campaign, still running, and it has been escalating every few days. This post connects the full chain. What the LiteLLM compromise actually does The attack is delivered via a .pth file: litellm_init.pth , 34,628 bytes, included in the wheel package and listed in the package's own RECORD manifest.2 This matters because .pth files in Python's site-packages/ directory are executed automatically by the interpreter on startup, before any import statement runs. The HN reporter who discovered it confirmed that even a bare import litellm in 1.82.8 is enough to trigger it.1 A user in the thread clarified it more precisely: any Python process in an environment where LiteLLM 1.82.8 is installed is exposed, regardless of whether the code ever imports it.1 The payload is double base64-encoded. When decoded, it launches a two-stage credential stealer. Stage 1: Collection. The script sweeps the host for: - SSH private keys ( ~/.ssh/id_rsa ,id_ed25519 ,id_ecdsa ,id_dsa ,authorized_keys ,known_hosts ,config ) - All environment variables ( printenv , which captures every API key and secret token in the process environment) - AWS credentials ( ~/.aws/credentials ,~/.aws/config , plus IMDS token and EC2 security credentials) - Kubernetes secrets ( ~/.kube/config ,/etc/kubernetes/admin.conf , service account tokens at/var/run/secrets/kubernetes.io/serviceaccount/token ) - GCP credentials ( ~/.config/gcloud/application_default_credentials.json ) - Azure credentials ( ~/.azure/ ) - Docker configs ( ~/.docker/config.json ,/kaniko/.docker/config.json ) - Git credentials ( ~/.gitconfig ,~/.git-credentials ) - Package manager credentials ( ~/.npmrc ,~/.netrc ,~/.vault-token ) - Shell history across bash, zsh, mysql, psql, redis - Crypto wallets (Bitcoin, Ethereum, Solana, and 8 others) - SSL/TLS private keys and Let's Encrypt certificates - CI/CD config files ( terraform.tfvars ,.gitlab-ci.yml ,.travis.yml ,Jenkinsfile ,.drone.yml ) - Slack and Discord webhook URLs via environment grep Stage 2: Exfiltration. The collected data is encrypted with AES-256-CBC using a randomly generated session key, which is then encrypted against a hardcoded 4096-bit RSA public key. Both encrypted files are packed into tpcp.tar.gz and POSTed to https://models.litellm.cloud/ , note the domain: litellm.cloud , not the official litellm.ai .2 The tpcp.tar.gz filename is not random. It is the signature artifact of a threat actor called TeamPCP, and it has appeared across every stage of this campaign.34 This did not start with LiteLLM On February 27, 2026, a GitHub account called hackerbot-claw , describing itself as "an autonomous security research agent powered by claude-opus-4-5", executed a Pwn Request against Aqua Security's Trivy.54 The vulnerability was a pull_request_target trigger in a workflow called apidiff.yaml . The trigger ran with the base repository's secrets and write permissions, but checked out code from the pull request head. Attacker-controlled code ran with Trivy's credentials. In 44 minutes, hackerbot-claw stole a Personal Access Token called ORG_REPO_TOKEN , a VSCE_TOKEN , and an OVSX_TOKEN , the credentials for publishing VS Code extensions. It renamed the repository, pushed an empty replacement, and deleted all 178 releases. Then it published a weaponized VS Code extension carrying a prompt injection payload designed to hijack AI coding agents on victims' machines. That is what we documented on March 18. The account behind it, MegaGame10418 per BoostSecurity Labs, has since been attributed to the threat actor now known as TeamPCP (also tracked as PCPcat, Persy_PCP, ShellForce, and DeadCatx3).54 Aqua Security responded and restored the repository. But the credential rotation, by Aqua's own admission, "wasn't atomic and attackers may have been privy to refreshed tokens."4 That gap is what every subsequent incident in this chain flows through. The campaign since our post The timeline below, compiled by Wiz researcher Rami McCarthy, shows what happened after the initial compromise.34 March 19: TeamPCP returned to Trivy with the retained credentials. They pushed a malicious v0.69.4 tag pointing to an imposter commit, spoofing a