LiteLLM PyPI Package Backdoored
A supply chain attack campaign attributed to the TeamPCP threat group marks one of the most consequential and fast-moving compromises of modern software development infrastructure. The attackers targeted trusted developer tools and open-source ecosystems.
This campaign showed how a single foothold in CI/CD pipelines can cascade into widespread compromise. Multiple platforms, including security scanners, package repositories, and AI infrastructure, were affected. The campaign highlights not only the fragility of software supply chains but also the increasing sophistication of adversaries. They leveraged automation, credential theft, and trust relationships to scale attacks.
The campaign began with the compromise of Trivy, a widely used open-source vulnerability scanner embedded in CI/CD pipelines. Attackers exploited weaknesses in GitHub Actions workflows. This enabled them to inject malicious code into official Trivy components, including binaries, Docker images, and automation workflows.
This initial breach proved particularly dangerous because Trivy operates within highly privileged environments. When developers run security scans, the tool often has access to sensitive credentials. These include SSH keys, cloud tokens, and API secrets. By weaponizing Trivy, TeamPCP turned a defensive control into an offensive mechanism.
The malicious payload in Trivy-enabled workflows harvested credentials directly from CI/CD runner memory. It then exfiltrated them to attacker-controlled infrastructure. This allowed attackers to pivot rapidly, using stolen secrets to compromise additional systems and services.
Following the Trivy compromise, TeamPCP used stolen credentials to infiltrate other parts of the software supply chain. One of the most critical expansions involved GitHub Actions. Here, attackers poisoned automation workflows used across thousands of repositories.
The compromise extended to Checkmarx tools, including KICS and GitHub Actions for AST. These were backdoored with credential-stealing malware. This showed a key characteristic of the campaign: reuse of stolen CI/CD tokens to move laterally across ecosystems.
Rather than exploiting new vulnerabilities at each stage, the attackers relied on previously harvested credentials to authenticate as trusted entities. This approach allowed them to bypass traditional security controls. They distributed malicious updates through legitimate channels.
The attack also introduced automation and self-propagation. Reports indicate that stolen tokens were used to seed malicious packages and workflows across multiple repositories. This created a cascading supply chain compromise that grew with each new integration.
The LiteLLM Compromise
The campaign reached a critical point with the compromise of the LiteLLM Python package on PyPI. LiteLLM is a widely used gateway for managing API requests to large language model providers. It was a high-value target due to its access to sensitive AI credentials.
Researchers at Endor Labs found that attackers published malicious versions (1.82.7 and 1.82.8) after obtaining PyPI publishing credentials from the earlier Trivy compromise. These versions contained embedded credential-stealing malware. The malware exfiltrated secrets from infected systems.
The impact of this compromise was amplified by LiteLLM's role in AI infrastructure. The platform often stores API keys for multiple providers, including cloud-based AI services. This enabled attackers to access a wide range of downstream systems from a single breach.
Additionally, the malware used Python's .pth file mechanism to execute automatically during interpreter startup. This ensured persistence and increased the chance of undetected execution.
The scale of exposure was significant. LiteLLM reportedly handles tens of millions of downloads monthly. Even a short-lived compromise could affect many environments, including enterprise CI/CD pipelines, developer workstations, and cloud workloads.
The malicious payloads deployed across the campaign shared several core capabilities, reflecting a consistent and modular design.
These included:
- Credential harvesting from CI/CD environments, including API keys, SSH keys, and cloud tokens
- Data exfiltration to attacker-controlled endpoints
- Persistence mechanisms, including automatic execution via .pth files
- Lateral movement within Kubernetes clusters through the deployment of privileged containers
- Potential deployment of destructive components, including wiper functionality targeting specific regions
The Kubernetes-focused capabilities are notable. In compromised environments, the malware deployed privileged pods across cluster nodes. This enabled broad access and persistence, even after initial remediation efforts.
This level of access transformed compromised environments into staging grounds for further attacks. TeamPCP could expand its reach while maintaining a foothold in critical infrastructure.
Beyond credential theft, the campaign showed destructive intent. Reports indicate that TeamPCP deployed wiper malware in some Kubernetes environments. Certain targets are aligned with specific geopolitical interests.
This evolution from espionage to destructive operations underscores the flexibility of the attack framework. By maintaining access to cloud-native environments, attackers can choose data exfiltration, lateral movement, or outright disruption based on their objectives.
The inclusion of wiper functionality raises concerns about future attacks. Supply chain compromises could blend with ransomware or sabotage campaigns, increasing the risk to organizations that rely on shared infrastructure.
The TeamPCP campaign underscores a key challenge in open-source ecosystems: balancing accessibility and security. Open-source tools enable innovation and collaboration but create complex dependency chains that are hard to secure.
Modern development environments rely on automation and third-party integrations. This creates a large attack surface. As shown by this campaign, attackers no longer need to compromise individual organizations directly. They can target shared infrastructure and spread attacks through trusted channels.
The incident raises questions about the security of new AI infrastructure. As tools like LiteLLM manage interactions with large language models, they introduce new risks from the aggregation of sensitive credentials and data.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion