On March 24, 2026, malicious versions of the *litellm* Python package (1.82.7 and 1.82.8) were published to PyPI as part of the TeamPCP supply chain attack. The malicious code harvests and exfiltrates credentials, secrets, and environment variables, attempts lateral movement across Kubernetes clusters, and installs persistent backdoors. The compromised versions were available for approximately 3 hours before PyPI quarantined them.
*Apache Airflow® packages and images are not directly affected.* We did not ship an impacted litellm version in an image, nor was it in our constraint files. Airflow constraint files are a good way to prevent similar attacks. If you are not already using them, you are encouraged to learn more about our constraint files <https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#constraints-files> . Y*ou may be affected if* you installed litellm as a direct or transitive dependency without constraints between 10:39 UTC and 13:38 UTC on 2026-03-24. Common paths include: - `apache-airflow-providers-google >= 14.0.0` (depends on `google-cloud-aiplatform[evaluation]`) - `google-cloud-aiplatform[evaluation] >= 1.100.0` (includes litellm in the evaluation extra) - `litellm` directly Impacted LiteLLM packages: `litellm==1.82.7` published at 10:39 UTC on March 24, 2026 `litellm==1.82.8` published at 10:52 UTC on March 24, 2026 PyPI quarantined the packages at ~13:38 UTC (some sources say up to 16:00 UTC for full removal) *How to check if you are affected:* Run `pip freeze | grep litellm`. If the output shows 1.82.7 or 1.82.8, your environment was compromised. *If affected, you should immediately:* 1. Rotate all secrets accessible from that environment - cloud credentials, database passwords, Airflow connections, API keys, and any values stored in environment variables 2. Rebuild your environment with a safe version (litellm<=1.82.6) or remove litellm if it’s not needed, and remove any persistent backdoors 3. Audit access logs for any unauthorized activity originating from your Airflow infrastructure *If not affected, no action is required. *If you pin dependencies or use constraint files and did not install or upgrade packages between 10:39 UTC and 13:38 UTC on 2026-03-24, you are not at risk. *Airflow developer environment* The Airflow developer environment uses lock files that limit installation to unaffected versions. Although unlikely, people who consciously updated to the latest version of dependencies (for example `uv sync --resolution highest`) when the malicious versions were published in PyPI might have been affected. *Future actions* The Airflow PMC takes this seriously; while current protections appear to have mitigated the incident's impact, we plan further hardening to better protect Airflow users and developers from future incidents. For further details, see the LiteLLM Security Update <https://docs.litellm.ai/blog/security-update-march-2026>. Jed On behalf of the Airflow PMC
