TeamPCP Hackers Behind Trivy & KICS Breaches Now Target LiteLLM Package

TeamPCP, a threat group previously linked to high-impact supply chain attacks, has compromised the widely used Python library litellm on PyPI, impacting a package with over 95 million monthly downloads.

The incident marks another escalation in the group’s campaign targeting developer and security ecosystems, following earlier breaches involving Aqua Security’s Trivy and Checkmarx’s KICS tools.

Malicious Package Injection on PyPI

Security researchers identified that versions 1.82.7 and 1.82.8 of litellm, published on March 24, 2026, were trojanized with embedded malware.

The library, commonly used to unify API calls across multiple large language model (LLM) providers, became an effective entry point into developer environments.

In version 1.82.7, attackers inserted a 12-line obfuscated base64 payload into the proxy_server.py file.

Instead of using easily detectable functions like exec(), the code decoded itself, wrote to a temporary file, and executed via a subprocess, evading static analysis tools.

The payload triggered immediately upon importing the library.

Version 1.82.8 introduced a more stealthy mechanism using a malicious .pth file (litellm_init.pth).

Python automatically executes .pth files during interpreter startup, allowing the malware to run silently in the background whenever any Python script executes, even if litellm is never directly imported.

The malware operates through a structured three-stage payload designed for persistence, credential theft, and lateral movement.

Stage one acts as an orchestrator. It decodes hidden scripts, collects sensitive data, encrypts it using AES-256-CBC and RSA-4096, and packages it into an archive named tpcp.tar.gz.

The archive is then exfiltrated to attacker-controlled infrastructure disguised as a legitimate domain, models.litellm.cloud.

Stage two focuses on credential harvesting and expansion. The malware scans compromised systems for SSH keys, cloud credentials (AWS, Azure, GCP), CI/CD secrets, .env files, and cryptocurrency wallets.

Notably, it includes AWS SigV4 request signing, enabling direct interaction with AWS Secrets Manager.

If a Kubernetes service account token is discovered, the malware deploys privileged pods across the cluster, mounting host filesystems to gain full control.

Stage three establishes persistence. A systemd user service named “System Telemetry Service” is installed, disguising itself as a PostgreSQL-related process (/tmp/pglog).

The backdoor communicates with command-and-control servers every 50 minutes, checking a local state file and even using a “youtube.com” kill switch to avoid detection during analysis.

Organizations should treat this incident as a critical supply chain breach and immediately audit environments for exposure.

• Affected versions: litellm 1.82.7 and 1.82.8 (removed from PyPI).
• Safe version: Downgrade to 1.82.6.
• Suspicious domains: models.litellm.cloud, checkmarx.zone.
• Malicious files: ~/.config/sysmon/sysmon.py, ~/.config/systemd/user/sysmon.service.
• Artifacts: Unexpected tpcp.tar.gz archives in temporary directories.

According to Endor Labs, the attackers released version 1.82.8 just 13 minutes after 1.82.7, indicating active, real-time iteration of their malware.

This campaign reflects TeamPCP’s broader strategy of targeting high-trust developer tools to harvest credentials and pivot across ecosystems, including GitHub Actions, Docker Hub, npm, OpenVSX, and now PyPI.

The scale and sophistication of this attack highlight the growing risk within open-source supply chains, where a single compromised dependency can cascade across millions of systems.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post TeamPCP Hackers Behind Trivy & KICS Breaches Now Target LiteLLM Package appeared first on Cyber Security News.