Hackers sneak crypto wallet-stealing code into a popular AI tool that runs every time

A poisoned release of LiteLLM turned a routine Python install into a crypto-aware secret stealer that searched for wallets, Solana validator material, and cloud credentials every time Python started.

On Mar. 24, between 10:39 UTC and 16:00 UTC, an attacker who had gained access to a maintainer account published two malicious versions of LiteLLM to PyPI: 1.82.7 and 1.82.8.

LiteLLM markets itself as a unified interface to more than 100 large language model providers, a position that places it inside credential-rich developer environments by design. PyPI Stats records 96,083,740 downloads in the last month alone.

The two builds carried different levels of risk. Version 1.82.7 required a direct import of litellm.proxy to activate its payload, while version 1.82.8 planted a .pth file (litellm_init.pth) in the Python installation.

Python’s own documentation confirms that executable lines in .pth files run at every Python startup, so 1.82.8 executed without any import at all. Any machine that had it installed ran compromised code the moment Python next launched.

FutureSearch estimates 46,996 downloads in 46 minutes, with 1.82.8 accounting for 32,464 of them.

Additionally, it counted 2,337 PyPI packages that depended on LiteLLM, with 88% allowing the compromised version range at the time of the attack.

LiteLLM’s own incident page warned that anyone whose dependency tree pulled in LiteLLM through an unpinned transitive constraint during the window should treat their environment as potentially exposed.

The DSPy team confirmed it had a LiteLLM constraint of “superior or equal to 1.64.0” and warned that fresh installs during the window could have resolved to the poisoned builds.

Built to hunt crypto

SafeDep’s reverse engineering of the payload makes the crypto targeting explicit.

The malware searched for Bitcoin wallet configuration files and wallet*.dat files, Ethereum keystore directories, and Solana configuration files under ~/.config/solana.

SafeDep says the collector gave Solana special treatment, showing targeted searches for validator key pairs, vote account keys, and Anchor deploy directories.

Solana’s developer documentation sets the default CLI keypair path at ~/.config/solana/id.json. Anza’s validator documentation describes three authority files central to validator operation, and states that theft of the authorized withdrawer gives an attacker complete control over validator operations and rewards.

Anza also warns that the withdrawal key should never sit on the validator machine itself.

SafeDep says the payload harvested SSH keys, environment variables, cloud credentials, and Kubernetes secrets across namespaces. When it found valid AWS credentials, it queried AWS Secrets Manager and the SSM Parameter Store for additional information.

It also created privileged node-setup-*pods in kube-system and installed persistence through sysmon.py and a systemd unit.

For crypto teams, the compounded risk runs in a specific direction. An infostealer that collects a wallet file alongside the passphrase, deploy secret, CI token, or cluster credential from the same host can convert a credential incident into a wallet drain, a malicious contract deployment, or a signer compromise.

Related Reading

Curve Finance TVL falls over $1B following Vyper vulnerability exploit

Curve’s CRV token became highly volatile following the attack, prompting fears of a contagion.

Jul 31, 2023 · Oluwapelumi Adejumo

The malware assembled exactly that combination of artifacts.

This attack is part of a wider campaign, as LiteLLM’s incident note links the compromise to the earlier Trivy incident, and Datadog and Snyk both describe LiteLLM as a later stage in a multi-day TeamPCP chain that moved through several developer ecosystems before reaching PyPI.

The targeting logic runs consistently across the campaign: a secret-rich infrastructure tooling provides faster access to wallet-adjacent material.

Potential outcomes for this episode

The bull case rests on the speed of detection and the absence, so far, of publicly confirmed crypto theft.

PyPI quarantined both versions by approximately 11:25 UTC on Mar. 24. LiteLLM removed the malicious builds, rotated maintainer credentials, and engaged Mandiant. PyPI currently shows 1.82.6 as the latest visible release.

If defenders rotated secrets, audited for litellm_init.pth, and treated exposed hosts as burned before adversaries could convert exfiltrated artifacts into active exploitation, then the damage stays contained to credential exposure.

The incident also accelerates the adoption of practices already gaining ground. PyPI’s Trusted Publishing replaces long-lived manual API tokens with short-lived OIDC-backed identity, approximately 45,000 projects had adopted it by November 2025.

CryptoSlate Daily Brief

Daily signals, zero noise.

Market-moving headlines and context delivered every morning in one tight read.

5-minute digest 100k+ readers

Email address

Get the brief

Free. No spam. Unsubscribe any time.

Whoops, looks like there was a problem. Please try again.

You’re subscribed. Welcome aboard.

LiteLLM’s incident involved the abuse of release credentials, making it much harder to dismiss the case for switching.

For crypto teams, the incident creates urgency for tighter role separation: cold validator withdrawers kept fully offline, isolated deployment signers, short-lived cloud credentials, and locked dependency graphs.

The DSPy team’s rapid pinning and LiteLLM’s own post-incident guidance both point toward hermetic builds as the remediation standard.

A timeline plots the LiteLLM compromise window from 10:39 UTC to 16:00 UTC on March 24, annotating 46,996 direct downloads in 46 minutes and a downstream blast radius of 2,337 dependent PyPI packages, 88% of which allowed the compromised version range.

The bear case turns on lag. SafeDep documented a payload that exfiltrated secrets, spread inside Kubernetes clusters, and installed persistence before detection.

An operator who installed a poisoned dependency inside a build runner or cluster-connected environment on Mar. 24 may not discover the full scope of that exposure for weeks. Exfiltrated API keys, deploy credentials, and wallet files do not expire on detection. Adversaries can hold them and act later.

Sonatype puts malicious availability at “at least two hours”; LiteLLM’s own guidance covers installs through 16:00 UTC; and FutureSearch’s quarantine timestamp is 11:25 UTC.

Teams cannot rely solely on timestamp filtering to determine their exposure, as those figures do not yield a clear all-clear.

The most dangerous scenario in this category centers on shared operator environments. A crypto exchange, validator operator, bridge team, or RPC provider that installed a poisoned transitive dependency inside a build runner would have exposed an entire control plane.

Kubernetes secret dumps across namespaces and privileged pod creation in the kube-system namespace are control-plane access tools designed for lateral movement.

If that lateral movement reached an environment where hot or semi-hot validator material was present on reachable machines, the consequences could range from individual credential theft to compromise of validator authority.

A five-stage flowchart traces the attack path from a poisoned LiteLLM transitive install through automatic Python startup execution, secret harvesting, and Kubernetes control-plane expansion to potential crypto outcomes.

PyPI’s quarantine and LiteLLM’s incident response closed the active distribution window.

Teams that installed or upgraded LiteLLM on Mar. 24, or that ran builds with unpinned transitive dependencies resolving to 1.82.7 or 1.82.8, should treat their environments as fully compromised.

Some actions include rotating all secrets accessible from exposed machines, auditing for litellm_init.pth, revoking and reissuing cloud credentials, and verifying that no validator authority material was accessible from those hosts.

The LiteLLM incident documents a path of an attacker who knew exactly which off-chain files to look for, had a delivery mechanism with tens of millions of monthly downloads, and built persistence before anyone pulled the builds from distribution.

The off-chain machinery that moves and safeguards crypto sat directly in the payload’s search path.

Mentioned in this article

Bitcoin Ethereum Solana

Posted in

Featured Hacks Crime Solana Web3

Author View profile →

Gino Matos

Reporter • CryptoSlate

Gino Matos is a law school graduate and a seasoned journalist with six years of experience in the crypto industry. His expertise primarily focuses on the Brazilian blockchain ecosystem and developments in decentralized finance (DeFi).

@pelicamatos LinkedIn

Editor View profile →

Liam ‘Akiba’ Wright

Editor-in-Chief • CryptoSlate

Also known as “Akiba,” Liam Wright is the Editor-in-Chief at CryptoSlate and host of the SlateCast. He believes that decentralized technology has the potential to make widespread positive change.

@akibablade LinkedIn

Context

Related coverage

Switch categories to dive deeper or gain broader context.

Solana Latest News      Hacks Top Category      Press Releases Newswire  

Regulation

SEC drastically reduces KYC pressure on Bitcoin, XRP, and Solana with revamped crypto rules

SEC redefines crypto landscape with new taxonomy, setting boundaries and granting room for privacy innovation.

2 weeks ago

Tokenization

Wall Street is building on Solana despite its memecoin reputation

Ondo’s 24/5 mint and redeem structure keeps securities with broker-dealers while Solana handles the transfer layer.

2 weeks ago

Tether still holds more cash, but Circle’s USDC is now moving more of crypto’s money

Stablecoins · 3 weeks ago

XRP Ledger just flipped Solana in RWA tokenization value and the holder count reveals why

Tokenization · 2 months ago

Terrifying Solana flaw just exposed how easily the “always-on” network could have been stalled by hackers

Analysis · 2 months ago

Solana’s public attack on Starknet exposes how billions in “mercenary” volume are artificially pumping network valuations right now

DeFi · 3 months ago

Hacks

Circle under fire as $230M in stolen USDC flows unblocked days after freezing legitimate accounts

The Drift exploit exposes a growing contradiction in how stablecoin issuers enforce control during crises.

2 hours ago

Analysis

Why crypto hacks don’t end and continue even when the money is gone

A crypto exploit can empty a wallet in minutes, but the full damage often unfolds for months. Tokens keep falling, treasuries shrink, hiring freezes set in, and projects that survive the theft can still lose their future in the aftermath.

2 weeks ago

Treasury’s $2 trillion stablecoin vision meets a reality check as USD1 depegs

Stablecoins · 1 month ago

Security of the US government’s $28B Bitcoin reserve threatened after weekend theft reveals flaw

Hacks · 2 months ago

Digital “Robin Hood” bots steal from hackers but don’t always give back to the poor

Hacks · 2 months ago

Hundreds of MetaMask wallets drained: What to check before you ‘update’

Wallets · 3 months ago

ADI Chain Announces ADI Predictstreet as FIFA World Cup 2026 Prediction Market Partner

Backed by ADI Chain, ADI Predictstreet will debut on football’s biggest stage as FIFA World Cup 2026’s official prediction market partner.

6 hours ago

BTCC Exchange Named Official Regional Partner of the Argentine National Team

BTCC has partnered with the Argentine Football Association through the 2026 FIFA World Cup, linking the exchange’s long-standing crypto presence with one of football’s most decorated national teams.

1 day ago

Encrypt Is Coming to Solana to Power Encrypted Capital Markets

PR · 3 days ago

Ika Is Coming to Solana to Power Bridgeless Capital Markets

PR · 3 days ago

TxFlow L1 Mainnet Launch Marks a New Phase for Multi-Application On-Chain Finance

PR · 3 days ago

BYDFi Marks 6th Anniversary with Month-Long Celebration, Built for Reliability

PR · 3 days ago

Disclaimer

Our writers’ opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies. For more information, see our company disclaimers.