A major supply chain attack campaign has emerged as TeamPCP, the threat actor behind previous Trivy and KICS compromises, has backdoored the popular Python package LiteLLM. Versions 1.82.7 and 1.82.8, released on March 24, 2026, contained a credential harvester, Kubernetes lateral movement toolkit, and a persistent systemd backdoor.
Security vendors including Endor Labs and JFrog confirmed the malicious packages were removed from PyPI after discovery. The compromise likely originated from LiteLLM’s use of Trivy in its CI/CD workflow.
Three-Stage Malicious Payload
According to researchers:
- Credential Harvester – Collects SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files.
- Kubernetes Lateral Movement Toolkit – Deploys privileged pods to every node, gaining cluster-wide control.
- Persistent Systemd Backdoor – The
sysmon.servicepollscheckmarx[.]zone/rawevery 50 minutes to retrieve additional payloads. A kill switch aborts execution ifyoutube.comis detected.
The payload exfiltrates data as an encrypted archive (tpcp.tar.gz) to a command-and-control server (models.litellm[.]cloud) using HTTPS POST requests.
Escalation via .pth File
Version 1.82.8 introduced a malicious .pth file, litellm_init.pth, which executes the payload on every Python process startup. It launches a child process using subprocess.Popen, allowing background execution and broader infection without requiring direct module import.
This represents a significant escalation from the prior 1.82.7 version, where the payload was triggered only when importing litellm.proxy.proxy_server.
Impact and Ecosystem Spread
The compromise extends TeamPCP’s supply chain attacks across five ecosystems: GitHub Actions, Docker Hub, npm, Open VSX, and PyPI. According to Wiz, LiteLLM is present in roughly 36% of cloud environments, highlighting the potential “snowball effect” of credential theft and lateral attacks.
TeamPCP publicly claimed responsibility via Telegram, boasting partnerships with other threat actors and promising further attacks on open-source projects and security tools.
Coordination with LAPSUS$ Extortion Group
TeamPCP is reportedly collaborating with LAPSUS$, indicating a convergence between supply chain attackers and high-profile extortion groups. Security researchers warn that this is not an isolated incident and requires proactive monitoring and mitigation across the cloud-native ecosystem.
(The story was updated after publication to reflect the latest developments.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
