By rssfeeds-admin 
The malicious code was injected directly into the PyPI distribution, bypassing the clean upstream GitHub repository. This supply chain attack is attributed to TeamPCP, a threat actor known for targeting highly privileged developer and security tools.
The infection chain relies on malicious code execution disguised within legitimate library functions. In version 1.82.7, attackers injected a 12-line base64-encoded payload into the litellm/proxy/proxy_server.py file. This code triggers silently upon module import.
Version 1.82.8 escalates the threat by introducing a litellm_init.pth file into the root of the wheel. Because Python automatically processes .pth files placed in site-packages at startup, this secondary vector ensures the payload executes as a background process during any Python invocation in the compromised environment. This means the payload triggers even if litellm is never explicitly imported by the developer’s code.
Affected Package Versions
| Package Name | Version | Publication Date | Injection Vector | Status |
|---|---|---|---|---|
| litellm | 1.82.7 | 2026-03-24 |
proxy_server.py (import-time) | Removed |
| litellm | 1.82.8 | 2026-03-24 |
proxy_server.py + litellm_init.pth (interpreter startup) | Removed |
Note: The last known-clean version is litellm 1.82.6.
Upon execution, the payload initiates an aggressive three-stage attack sequence. The initial orchestrator script unpacks a comprehensive credential harvester designed to systematically sweep the host system.
It targets SSH keys, cloud provider tokens for AWS, GCP, and Azure, database credentials, and cryptocurrency wallets. Extracted secrets are encrypted using a hybrid AES-256-CBC and RSA-4096 scheme and bundled into an archive named tpcp.tar.gz before being exfiltrated to an attacker-controlled domain masquerading as a legitimate project resource.
Beyond credential theft, the malware attempts lateral movement within Kubernetes environments. If the harvester detects a Kubernetes service account token, it rapidly enumerates all cluster nodes and deploys privileged alpine containers to each node using host-level access.
Finally, the malware establishes persistent access by dropping a systemd user service disguised as a system telemetry process. This backdoor continuously polls a secondary command-and-control server to fetch and execute additional binaries.
This breach represents the latest escalation in a sprawling supply chain campaign orchestrated by TeamPCP. Over the past month, the group has successfully compromised five separate ecosystems, including GitHub Actions, Docker Hub, npm, and OpenVSX.
By deliberately targeting infrastructure and security-focused tools such as Aqua Security’s Trivy and Checkmarx’s KICS, the attackers ensure their payloads execute in highly privileged environments rich with production secrets.
Key Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
models.litellm.cloud | C2 Domain | Exfiltration endpoint for encrypted credential archives |
checkmarx.zone/raw | C2 Endpoint | Payload delivery domain for the persistent backdoor |
~/.config/systemd/user/sysmon.service | Filesystem | Persistent systemd unit hiding the backdoor |
tpcp.tar.gz | Archive | Named archive containing exfiltrated host data |
node-setup-* | Kubernetes | Privileged attacker pods deployed in the kube-system namespace |
Organizations utilizing litellm should immediately audit their environments. If the compromised versions are detected, security teams must treat the environment as fully breached and initiate a comprehensive credential rotation protocol.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post LiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.