The .pth file that turned PyPI into a silent credential vacuum
A single hidden .pth file being silently injected into a Python package during PyPI upload, visualized as a microscopic data packet slipping past a security checkpoint in a data stream.📷 AI illustration
- ★Base64 payload triggers on pip install
- ★No import required for activation
- ★PyPI quarantine limited to hours
The LiteLLM v1.82.8 package published to PyPI carried a payload that required zero user action beyond typing pip install. Hidden in a litellm_init.pth file, a base64-encoded credential stealer activated automatically during installation — no import litellm needed, no suspicious network calls visible in application code. This is not how most Python malware operates.
The .pth file mechanism is an obscure Python feature designed to execute arbitrary code whenever the interpreter starts with that package in its path. Malware hidden here runs before any user code executes, making it effectively invisible to developers auditing their own imports. Security researcher Simon Willison documented that the exploit in v1.82.7 required package import, but v1.82.8's .pth relocation removed even that minimal friction.
PyPI's maintainers quarantined the package within hours, but the exposure window was sufficient for automated dependency chains to pull the compromised version. The attack surface here is vast: LiteLLM sits between developers and dozens of LLM APIs, meaning its environment typically contains high-value credentials for OpenAI, Anthropic, Azure, and Google services.
The credential stealer's scope remains partially unclear — the payload reportedly targets a "bewildering array" of secrets, though the exact enumeration of environment variables and file paths has not been fully decompiled in public analysis. What is confirmed: this was not opportunistic vandalism but deliberate exfiltration architecture.
The compromise vector points to standard PyPI account takeover — a supply-chain attack pattern that has accelerated across the ecosystem. Unlike npm's recent two-factor mandate for top packages, PyPI's security model still permits single-factor authentication for maintainers of widely-trusted infrastructure. The Python Software Foundation has been gradual in mandating 2FA for critical projects.
For organizations, this incident validates what security teams already suspected: dependency installation is no longer a neutral infrastructure operation but an active attack surface requiring sandboxing. The .pth mechanism, obscure since its 2001 introduction, has now been weaponized at scale. Developers who audit their requirements.txt but not their site-packages post-installation are flying blind.