A malicious version of the litellm package (1.82.8) was found on PyPI, containing a credential-stealing script that executes automatically when the Python interpreter starts. The script collects sensitive data, including environment variables, SSH keys, and cloud credentials, and sends it to an attacker-controlled server. The issue affects anyone who installed the package via pip, including local development machines, CI/CD pipelines, Docker containers, and production servers. Users are advised to check for the malicious file and rotate all affected credentials.