Someone Found a Live Malware Campaign on PyPI by Accident

A developer sat down to debug a frozen laptop and accidentally caught a live supply chain attack on PyPI. This is not a drill.

On March 24, 2026, Callum McMahon noticed his machine was crawling with 11,000 python processes, all running something that looked like exec(base64.b64decode('...')). He fired up Claude Code, pasted in the journalctl output, and asked what was going on. Claude helped him trace it back to a freshly installed package: litellm==1.82.8.

TL;DR: A malicious version of litellm was published to PyPI and sat there long enough to infect anyone who installed it. The malware shipped a credential stealer in a .pth file, which runs automatically the moment you install the package — no import required. PyPI quarantined the package within hours, but the window for damage was real.

The Attack in Plain English

The compromised package (litellm==1.82.8) included a file called litellm_init.pth hidden in the wheel distribution. That file runs the moment pip finishes installing the package, no code import needed. Inside was a base64-encoded payload that would immediately start scraping credentials from your machine.

Here is what it was after, according to the detailed GitHub issue:

• SSH keys and git credentials (~/.ssh/, ~/.gitconfig, ~/.git-credentials)
• Cloud provider secrets (~/.aws/, ~/.kube/, ~/.azure/, ~/.docker/)
• Config files and environment configs (~/.config/, ~/.npmrc, ~/.vault-token)
• Shell histories (~/.bash_history, ~/.zsh_history, ~/.sh_history)
• Database passwords (~/.pgpass, ~/.mysql_history, ~/.psql_history)
• Even cryptocurrency wallets

That is not a targeted hack. That is a scatter-shot approach to grab everything that looks like a secret. If you install the package, it starts working before you even run any Python code.

Version 1.82.7 had a similar exploit but it was buried in the proxy server code, so it only fired if you actually imported the module. Version 1.82.8 moved the payload to litellm_init.pth, which executes on install. That is a meaningful escalation in severity.

How Did the Attacker Get Onto PyPI in the First Place?

The likely culprit is a recent compromise of Trivy, an open-source security scanner. The Trivy project was exploited, and credentials used in their CI pipeline were stolen. Those credentials were then used to publish the malicious litellm packages directly to PyPI.

This is the kind of circular irony that makes supply chain security so brutal. A security scanning tool was used as the entry point to poison a developer tool used by AI engineering teams. The teams most likely to be hit are exactly the teams who thought they were being careful.

The Detection Story Is Also Worth Noting

What makes this story unusual is how it was caught. Callum McMahon was not a security researcher. He was a developer with a frozen laptop. He used Claude Code to help him debug, and together they figured out what was happening.

This is a genuine example of AI accelerating both sides of the security equation. Attackers use AI to write malware faster. But defenders — or just curious developers — can now analyze and report attacks faster too. The transcript of the entire Claude Code session is published on Futuresearch, so you can read exactly how the conversation unfolded.

Cursor Brings Self-Hosted Cloud Agents to Enterprise

Shifting gears, Cursor shipped something this week that matters for teams with strict security requirements: self-hosted cloud agents.

Cloud agents are great for speed. You kick off a task, Cursor spins up an isolated VM, clones your repo, writes code, and pushes it back. But for regulated industries, having your code leave your environment is a non-starter. Finance, healthcare, defense — they cannot send proprietary code to a third-party cloud, even if the provider is trustworthy.

Cursor's new self-hosted option solves this. You run a worker process inside your own network. That worker connects outbound to Cursor's control plane over HTTPS. No inbound ports, no firewall changes, no VPN tunnels. Your code and secrets never leave your infrastructure, but the agent still gets to use Cursor's models and orchestration.

The setup is clean. Brex, Money Forward, and Notion are already using it. Money Forward is running a workflow where nearly 1,000 engineers can create pull requests directly from Slack using these self-hosted agents.

For AI engineering teams that have been waiting for enterprise-ready coding agents, this is a real step forward. The security model stays yours, the agent stays smart.

What This Week Reminds Us

Supply chain attacks are not theoretical. They hit trusted tools, they move fast, and they target the credentials that give attackers the most leverage. The litellm incident lasted only a few hours on PyPI, but anyone who installed the package during that window is still in a bad spot.

Practical takeaways:

• Pin your package versions and audit your dependency tree regularly
• If you installed litellm recently, assume credentials on that machine may be compromised and rotate them
• Watch PyPI quarantine announcements — they exist precisely for situations like this
• For teams handling sensitive code, self-hosted agent options are worth evaluating seriously

The ecosystem is moving fast. That is not a reason to panic. It is a reason to build better habits around dependency management.

Sources: Simon Willison, Futuresearch AI, Cursor Blog