Full Report
LiteLLM is the latest victim of TeamPCP’s open-source attack spree. Malicious versions 1.82.7 and 1.82.8 abuse Python’s .pth mechanism for stealthy persistence. The malware exfiltrates cloud credentials, CI/CD secrets, and keys to attacker-controlled domains.
Analysis Summary
# Incident Report: TeamPCP Supply Chain Attack on LiteLLM
## Executive Summary
LiteLLM, a popular open-source Python library used in approximately 36% of cloud environments, was targeted in a supply chain attack by the threat actor "TeamPCP." Malicious versions (1.82.7 and 1.82.8) were published to PyPI, containing malware designed to exfiltrate cloud credentials, CI/CD secrets, and environment variables. The attack was quickly contained by PyPI, but it highlights a persistent campaign by TeamPCP against the open-source ecosystem.
## Incident Details
- **Discovery Date:** March 24, 2026
- **Incident Date:** March 24, 2026
- **Affected Organization:** Users of LiteLLM (Maintainers: LiteLLM Open Source Project)
- **Sector:** Technology / Artificial Intelligence / Software Development
- **Geography:** Global (PyPI Distribution)
## Timeline of Events
### Initial Access
- **Date/Time:** March 24, 2026, 08:30 UTC
- **Vector:** Supply Chain Compromise (Credential Theft)
- **Details:** Attackers gained access to the LiteLLM PyPI account using an API token exposed during a previous TeamPCP incident involving the "Trivy" project.
### Lateral Movement
- **Details:** The malware targets the host environment once the malicious package is installed, seeking to move from the application layer to the cloud infrastructure layer by harvesting provider credentials (AWS, GCP, Azure).
### Data Exfiltration/Impact
- **Details:** Collected data included environment variables, SSH keys, cloud provider credentials, Kubernetes configurations, CI/CD secrets, Docker configs, and cryptocurrency wallets. Data was encrypted (AES-256 + RSA) and exfiltrated to attacker domains.
### Detection & Response
- **How it was discovered:** Monitored by security researchers and PyPI maintainers.
- **Response actions taken:** PyPI quarantined the malicious packages at 11:25 UTC (approx. 3 hours after upload). Security advisories (PYSEC-2026-2) were issued.
## Attack Methodology
- **Initial Access:** Hijacked PyPI account via leaked API credentials.
- **Persistence:** Abused Python’s `.pth` file mechanism (`litellm_init.pth`) to execute code every time the Python interpreter starts.
- **Privilege Escalation:** Not explicitly stated, though the malware seeks high-value credentials to gain administrative cloud access.
- **Defense Evasion:** Used double Base64-encoded payloads via subprocesses to bypass static string inspection.
- **Credential Access:** Automated harvesting of `.aws/credentials`, `.kube/config`, and environment variables.
- **Discovery:** Scanned host for CI/CD configuration files and database credentials.
- **Lateral Movement:** Usage of stolen SSH keys and cloud tokens to access broader infrastructure.
- **Collection:** Automated gathering of secrets, tokens, and wallet files.
- **Exfiltration:** Data sent to `checkmarx[.]zone` and `models[.]litellm[.]cloud`.
- **Impact:** Potential full compromise of cloud environments and CI/CD pipelines for 36% of analyzed cloud users.
## Impact Assessment
- **Financial:** High potential loss due to stolen cryptocurrency and potential cloud resource hijacking; exact figures not disclosed.
- **Data Breach:** High; widespread theft of sensitive identity and access management (IAM) secrets.
- **Operational:** Package was quarantined quickly, minimizing long-term deployment impact, but remediation for infected hosts is intensive.
- **Reputational:** Significant impact on trust for LiteLLM and broader PyPI ecosystem dependencies.
## Indicators of Compromise
- **Network:**
- `checkmarx[.]zone`
- `models[.]litellm[.]cloud`
- **File:**
- `litellm_init.pth`
- `p.py`
- **Versions:**
- `litellm == 1.82.7`
- `litellm == 1.82.8`
## Response Actions
- **Containment:** PyPI quarantined malicious versions within 3 hours.
- **Eradication:** Revocation of the compromised API token used for the upload.
- **Recovery:** Users advised to roll back to version 1.82.6 and rotate all secrets that may have been present on infected machines.
## Lessons Learned
- **Credential Hygiene:** An API key leaked in a previous attack (Trivy) was reused or remained valid, allowing this subsequent attack.
- **Persistence Innovation:** The use of `.pth` files is an effective, stealthy persistence mechanism that many host-based security tools may miss.
- **Speed of Attack:** The time from package upload to automated exfiltration is seconds, while detection/quarantine took 3 hours.
## Recommendations
- **Rotate Credentials:** Immediately rotate any API keys, AWS/Azure/GCP secrets, or SSH keys present on systems where LiteLLM 1.82.7/8 was installed.
- **Dependency Pinning:** Use `requirements.txt` with hashes (e.g., `pip-compile`) to prevent automatic updates to malicious versions.
- **Monitoring:** Implement monitoring for unauthorized outbound traffic to unknown domains from CI/CD runners and production containers.
- **Audit .pth files:** Regularly audit Python `site-packages` directories for unexpected `.pth` files.