Malicious litellm 1.82.8 wheel auto-executes on Python startup via .pth file

A poisoned release of the litellm package on PyPI, version 1.82.8, shipped a wheel containing a 34,628-byte .pth file named litellm_init.pth. Because Python processes .pth files automatically at interpreter startup, the embedded payload runs on any environment where the package is installed — no import statement, no explicit invocation, no user action required.

The .pth abuse vector sidesteps the assumption that uninvoked packages are inert. Once the wheel lands in site-packages, every subsequent Python process in that environment executes the attacker’s code before user code begins, which is a near-ideal foothold for credential theft, build pipeline tampering, or lateral movement in CI runners and developer workstations.

Schneier frames the broader fix as the unglamorous package-integrity stack the industry keeps deferring: SBOMs to know what’s installed, SLSA to attest how artifacts were built, and Sigstore to verify who signed them. None of it is novel, and none of it gets adopted at the pace required by incidents like this one.