On March 24, 2026, two malicious versions of LiteLLM — the Python library powering 95 million monthly downloads across the AI developer ecosystem — were quietly pushed to PyPI. The attack didn’t begin with LiteLLM. It began with Trivy, a vulnerability scanner running inside LiteLLM’s own CI pipeline without version pinning. One compromised dependency handed attackers the PyPI publishing credentials they needed. What followed was a multi-stage credential stealer that executed silently on every Python process, swept SSH keys, cloud credentials, Kubernetes tokens, and API keys, then exfiltrated everything encrypted to an attacker-controlled server. The TeamPCP campaign is still active. This is the blueprint for AI supply chain attacks going forward — and your current defenses are probably not sufficient.