litellm dependency breaks all installs — package quarantined on PyPI after supply chain attack

[Yannholo]

Summary

google-adk cannot be installed when using the eval or extensions extras because litellm has been completely quarantined on PyPI following a supply chain attack (BerriAI/litellm#24518). All versions return "No matching distribution found", making any project that depends on google-adk[eval] unable to resolve dependencies.

Reproduction

pip install google-adk[eval]
# or
pip install litellm

Both fail with:

Unable to find installation candidates for litellm

Impact

• Any CI/CD pipeline installing google-adk[eval] is broken
• poetry lock --regenerate fails for projects depending on google-adk[eval]
• No workaround other than removing the eval extra entirely
• No timeline from PyPI for restoring the package

Context

On 2026-03-24, an attacker published malicious litellm versions (1.82.7, 1.82.8) containing credential-stealing malware. PyPI responded by quarantining the entire package — all versions, not just the compromised ones.

Reference: BerriAI/litellm#24518

Environment

• google-adk==1.23.0
• Python 3.10+
• Poetry 2.x / pip 24.x
• All platforms affected

[KeganHollern]

this is a good reminder that non-litellm integrations should be prioritized