A Note on the LiteLLM Vulnerability

On March 24, 2026 at 11:28 UTC, a malicious file was identified in version 1.82.8 of LiteLLM containing a credential-stealing script that executed automatically on install. The compromised version remained published for several hours before being quarantined on PyPI and removed.

LangWatch customers were not impacted. No cloud or self-hosted customers were affected. All LangWatch components use pnpm-lock.yaml and uv.lock to pin dependency versions across both TypeScript and Python packages, preventing any automatic pull of the compromised release. LangWatch depends on LiteLLM for the execution of workflows and evaluators in the langwatch_nlp and langevals components.

As a general precaution, organizations that performed unlocked installations of LiteLLM on March 24, 2026 should review their environments, as many tools across the ecosystem depend on it — including the langwatch-scenario Python library (used in development, not in production).

The LiteLLM compromise originated from a broader supply chain attack targeting Trivy, a widely-used security scanner. Attackers leveraged compromised credentials from that campaign to publish the malicious LiteLLM package to PyPI.

As an additional precaution, we are now pinning all GitHub Actions used by LangWatch to commit SHAs, protecting against the same class of tag-hijacking supply chain attack. Dependabot is configured to automatically flag when updates are available, ensuring pinned versions stay current.

LangWatch is committed to maintaining the highest standards of security for our customers.