The campaign highlights a growing trend of adversaries targeting AI development pipelines to inject malicious code at scale.
The attack began with Trivy, a popular open-source vulnerability scanner maintained by Aqua Security.
According to available reports, TeamPCP exploited weak credential management practices and deployed an automated agent to manipulate Trivy into exposing its GitHub authentication tokens.
These credentials enabled the attackers to push malicious updates directly into the public repository.
Aqua Security confirmed that only the open-source version of Trivy was affected, while its enterprise customers remained protected.
However, the compromise created a critical foothold for further attacks, as many development environments rely on Trivy for continuous security scanning.
Building on the initial breach, TeamPCP moved laterally into LiteLLM, an open-source AI gateway widely used to connect applications with major large language models such as GPT-5 and Claude.
Because LiteLLM’s development pipeline depended on the compromised Trivy package, attackers were able to extract sensitive publishing credentials.
Using these keys, the group distributed trojanized versions of LiteLLM, impacting an estimated 95 million users.
The malicious updates remained undetected until developers began reporting system crashes and abnormal behavior, prompting an investigation.
LiteLLM has since engaged Google-owned Mandiant to conduct a forensic analysis and secure its infrastructure.
Notably, TeamPCP leveraged artificial intelligence to enhance its attack capabilities. A representative associated with the group claimed that Anthropic’s Claude model was used to generate malware components and automate various stages of the intrusion.
Security researchers observed multiple tactics in the campaign:
This use of AI significantly reduced development time for malicious payloads and increased the efficiency of the attack lifecycle.
TeamPCP is believed to operate as an initial access broker (IAB), a role increasingly common in the cybercrime ecosystem.
Instead of deploying ransomware directly, the group monetizes intrusions by selling access to other threat actors or extorting affected organizations.
This model allows them to scale operations while minimizing exposure, making detection and attribution more difficult for defenders.
The incident underscores systemic weaknesses in modern software supply chains, particularly within AI development environments.
Many organizations rely heavily on open-source tools without implementing rigorous validation or secrets management controls.
Cybersecurity experts emphasize that trust in third-party components must be paired with verification.
Key recommendations include:
As AI adoption accelerates, attackers are increasingly targeting the tools and frameworks that underpin these systems.
The TeamPCP campaign serves as a stark reminder that securing the AI supply chain is now a critical priority for organizations worldwide.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post TeamPCP Hackers Target AI Developers with Malicious Code Injections appeared first on Cyber Security News.
Amazon’s Big Spring Sale is in full bloom, and for those looking to do a…
The first episode of For All Mankind Season 5, “First Light,” is now streaming on…
Heads up: The Amazon Spring Sale is now live and this is the best Apple…
It's no surprise why USB portable monitors are becoming so popular, especially with most people…
Microsoft has confirmed that its new gaming boss Asha Sharma personally killed the company's controversial…
The Internet Systems Consortium (ISC) has disclosed three security vulnerabilities in BIND 9, one of…
This website uses cookies.