Full Report
The most active piece of enterprise infrastructure in the company is the developer workstation. That laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI agents. In March 2026, the TeamPCP threat actor proved just how valuable developer machines are. Their supply chain attack on
Analysis Summary
# Incident Report: TeamPCP Supply Chain Compromise of LiteLLM
## Executive Summary
In March 2026, the threat actor TeamPCP executed a highly effective supply chain attack by poisoning the popular AI development library LiteLLM on the Python Package Index (PyPI). By injecting infostealer malware into specific versions of the library, the attackers successfully harvested plaintext credentials and sensitive configuration files from thousands of developer workstations and CI/CD runners. The incident highlighted the extreme vulnerability of developer endpoints, where high-value secrets are frequently stored in unencrypted formats.
## Incident Details
- **Discovery Date:** March 2026 (exact day unspecified)
- **Incident Date:** March 2026
- **Affected Organization:** Users of LiteLLM (including dependencies in 1,705 other packages)
- **Sector:** Technology / AI Development / Software Supply Chain
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Supply Chain Attack / Software Package Repository Poisoning
- **Details:** TeamPCP gained unauthorized access to the LiteLLM project on PyPI and uploaded malicious versions 1.82.7 and 1.82.8.
### Lateral Movement
- **Mechanism:** The malware targeted developer workstations and CI/CD environments. Once a developer installed or updated to the poisoned version, the malware executed locally, sweeping the file system for credentials to move vertically into cloud infrastructure (AWS, Azure, GCP).
### Data Exfiltration/Impact
- **Details:** The malware systematically harvested SSH keys, cloud provider credentials, Docker configurations, `.env` files, shell history, and AI agent memory stores containing plaintext secrets.
### Detection & Response
- **Discovery:** Detection occurred within hours of the malicious upload (details on the specific trigger not provided).
- **Response Actions:** PyPI administrators removed the malicious packages (1.82.7 and 1.82.8) shortly after detection to stop further infections.
## Attack Methodology
- **Initial Access:** Poisoned PyPI packages (LiteLLM v1.82.7/1.82.8).
- **Persistence:** Executed during package installation/update; tended to target CI/CD runners for automated execution.
- **Privilege Escalation:** Not explicitly required; the malware operated with the permissions of the developer or service account running the installation.
- **Defense Evasion:** Leveraged trusted supply chain channels and transitive dependencies (infecting users who didn't directly install LiteLLM but used packages like `dspy` or `crawl4ai`).
- **Credential Access:** Searching for plaintext secrets in standard directories (e.g., `~/.aws/credentials`).
- **Discovery:** Scanned filesystem for `.env` files, IDE settings, and terminal history.
- **Lateral Movement:** Used stolen cloud/SSH credentials to access broader enterprise infrastructure.
- **Collection:** Harvesting sensitive configuration files and environment variables.
- **Exfiltration:** Sending harvested credentials to actor-controlled infrastructure.
- **Impact:** Massive credential exposure and potential for full cloud environment compromise.
## Impact Assessment
- **Financial:** Not disclosed, but involves high remediation costs for rotating thousands of credentials.
- **Data Breach:** Exposure of 33,185+ unique secrets (based on similar historical trends noted in the report).
- **Operational:** Significant disruption to CI/CD pipelines and developer workflows during cleanup.
- **Reputational:** Impacted trust in LiteLLM and the broader Python AI ecosystem.
## Indicators of Compromise
- **Network indicators:** Traffic to known TeamPCP C2 servers (not specified in article; use caution).
- **File indicators:** LiteLLM versions 1.82.7 and 1.82.8.
- **Behavioral indicators:** Unexpected outbound connections from developer workstations or CI/CD runners during `pip install` operations; unauthorized access to `~/.ssh` or `~/.aws` directories by Python processes.
## Response Actions
- **Containment:** Removal of malicious versions from PyPI.
- **Eradication:** Deletion of infected local library versions and audit of developer machines.
- **Recovery:** Global rotation of all potentially exposed credentials (AWS keys, SSH keys, GitHub tokens).
## Lessons Learned
- **Transitive Dependency Risk:** Organizations were compromised through secondary packages (`dspy`, `opik`), showing that securing direct dependencies is insufficient.
- **Endpoint Vulnerability:** Developer workstations are "credential vaults" that lack the security controls typically found on production servers.
- **Secret Proliferation:** A single secret often exists in multiple locations on one machine (average of 8), making manual cleanup nearly impossible.
## Recommendations
- **Secrets Scanning:** Implement continuous local scanning of developer machines using tools like `ggshield` to find and remove plaintext secrets.
- **Dependency Pinning:** Use lockfiles and private mirrors to vet packages before they enter the internal ecosystem.
- **Short-lived Credentials:** Shift from static cloud keys to short-lived, identity-based tokens (e.g., IAM Roles for Service Accounts).
- **Environment Isolation:** Use containers or ephemeral environments for development to prevent malware from accessing the primary host filesystem (`~/.ssh`).