Your Agent Monitoring SDK Was the Backdoor

On March 24, 2026, a supply chain attack against LiteLLM — one of the most widely deployed LLM proxy and observability libraries — compromised the PyPI packages used by engineers to instrument their AI agents. The attacker had already worked through two upstream targets: Aqua Security's Trivy scanner (March 19), then Checkmarx's KICS and AST GitHub Actions (March 23). LiteLLM's CI/CD pipeline ran Trivy without a pinned version, which is how the attacker extracted the PyPI publishing token from the GitHub Actions runner. The malicious versions (1.82.7 and 1.82.8) were live on PyPI for approximately three hours before LiteLLM took them down. The payload installed by the compromised packages ran a three-stage operation: credential harvesting from cloud environments, lateral movement through Kubernetes clusters, and a persistent backdoor for remote code execution. Every API key passing through LiteLLM — OpenAI, Anthropic, Azure, Google — was potentially in scope. The monitoring layer wasn'