An AI Gateway Designed to Steal Your Data

    Monday, March 30, 2026 In: Threat Research Print

    Date: 03/30/2026

    Severity: High

    Summary

    A growing share of cyber incidents now stems from supply chain attacks. Attackers use tactics like malicious open-source libraries or hijacked developer accounts. These compromised libraries spread widely, affecting countless applications and services. In March 2026, a trojanized LiteLLM Python library was uploaded to PyPI, infecting systems. The malware targeted sensitive data, including cloud credentials, databases, and crypto wallets.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    models.litellm.cloud

    checkmarx.zone

    Hash :

    85ED77A21B88CAE721F369FA6B7BBBA3

    2E3A4412A7A487B32C5715167C755D08

    0FCCC8E3A03896F45726203074AE225D

    F5560871F6002982A6A2CC0B3EE739F7

    CDE4951BEE7E28AC8A29D33D34A41AE5

    05BACBE163EF0393C2416CBD05E45E74

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "checkmarx.zone" or url like "checkmarx.zone" or siteurl like "checkmarx.zone" or domainname like "models.litellm.cloud" or url like "models.litellm.cloud" or siteurl like "models.litellm.cloud"

    Detection Query 2 :

    md5hash IN ("F5560871F6002982A6A2CC0B3EE739F7","05BACBE163EF0393C2416CBD05E45E74","2E3A4412A7A487B32C5715167C755D08","CDE4951BEE7E28AC8A29D33D34A41AE5","85ED77A21B88CAE721F369FA6B7BBBA3","0FCCC8E3A03896F45726203074AE225D")

    Reference:     

    https://securelist.com/litellm-supply-chain-attack/119257/


    Tags

    MalwareAILLMsTrojanCrypto walletsSupply chain attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.