The LiteLLM PyPI Supply Chain Attack: 95M Downloads Compromised in AI Infrastructure Breach
- The LiteLLM PyPI Supply Chain Attack: A Critical Wake-Up Call for AI Infrastructure Security
The LiteLLM PyPI Supply Chain Attack: A Critical Wake-Up Call for AI Infrastructure Security
Executive Summary
On March 24, 2026, the popular Python package litellm—a critical AI gateway library with over 95 million downloads—was compromised in a sophisticated supply chain attack. Threat actor TeamPCP published two malicious versions (1.82.7 and 1.82.8) containing credential-stealing malware, Kubernetes lateral movement toolkits, and persistent backdoors. This attack represents a significant escalation in the ongoing campaign targeting security tools and developer infrastructure.
The Attack Chain
The compromise appears to have originated from the maintainer’s use of Trivy—a security scanner from Aqua Security—in their CI/CD workflow. TeamPCP had previously compromised Trivy in mid-March 2026, gaining access to credentials that eventually led to the LiteLLM breach.
Key Attack Vectors:
-
Version 1.82.7: Malicious code embedded in
litellm/proxy/proxy_server.py- Executes when the module is imported
- Triggers credential harvesting without user interaction
-
Version 1.82.8: Added
litellm_init.pthfile + enhanced payload- .pth files execute automatically on every Python process startup
- No import required—affects any Python environment
- Spawns background processes via
subprocess.Popen
What the Malware Does
The payload implements a three-stage attack:
Stage 1: Credential Harvesting
- SSH keys (public and private)
- Cloud credentials (AWS, GCP, Azure access keys)
- Kubernetes secrets and service account tokens
- Cryptocurrency wallets (crypto keys and seed phrases)
- Environment files (.env, configuration files)
- Database passwords and SSL private keys
- Shell history and CI/CD configuration files
Stage 2: Kubernetes Lateral Movement
- Enumerates all nodes in Kubernetes clusters
- Deploys privileged pods to every node
- Chroots into host filesystems
- Installs persistence mechanisms across the cluster
Stage 3: Persistent Backdoor
- Creates
sysmon.servicesystemd user service - Polls
checkmarx[.]zone/rawevery 50 minutes - Fetches next-stage payloads dynamically
- Contains kill switch (aborts if URL contains
youtube[.]com)
Exfiltration and C2 Infrastructure
Stolen data is:
- Encrypted: AES-256-CBC + RSA-4096 (hardcoded public key)
- Archived: Packaged into
tpcp.tar.gz - Exfiltrated: HTTPS POST to
models.litellm[.]cloud
Notably, the exfiltration domain litellm.cloud (not the official litellm.ai) was registered just hours before the attack via Spaceship, Inc. on March 23, 2026.
Impact Assessment
- 95+ million downloads: LiteLLM is a fundamental dependency for AI/ML pipelines
- Automatic execution: .pth files trigger without user interaction
- Kubernetes compromise: Cloud-native infrastructure at risk
- Credential theft: Potentially thousands of environments compromised
TeamPCP’s Escalating Campaign
This attack is part of TeamPCP’s coordinated campaign across five ecosystems:
- GitHub Actions (Trivy, KICS, Checkmarx)
- Docker Hub (malicious container images)
- npm (JavaScript packages)
- Open VSX (VSCode extensions)
- PyPI (Python packages)
In their Telegram messages, TeamPCP stated: “These companies were built to protect your supply chains yet they can’t even protect their own… we’re gonna be around for a long time stealing terrabytes [sic] of trade secrets with our new partners.”
Response and Remediation
Immediate Actions Taken:
- PyPI removed the malicious packages
- All maintainer accounts rotated
- Package suspended pending security review
- Google Mandiant engaged for incident response
Recommendations for Affected Organizations:
-
Audit Environments:
- Check for litellm versions 1.82.7 or 1.82.8
- Search for
litellm_init.pthin site-packages directories - Scan for rogue Kubernetes pods
-
Containment:
- Isolate affected hosts immediately
- Review network logs for traffic to:
models.litellm[.]cloudcheckmarx[.]zone
- Remove persistence mechanisms (
sysmon.service)
-
Recovery:
- Rotate ALL credentials present on compromised systems
- Revoke exposed cloud access keys
- Reset Kubernetes service account tokens
- Change database passwords
-
Prevention:
- Pin dependencies to exact versions
- Verify PyPI packages against GitHub releases
- Implement artifact signing and verification
- Maintain internal package mirrors
- Audit CI/CD pipelines for vulnerable security tools
The Bigger Picture: Supply Chain Collapse
As Gal Nagli from Wiz noted: “The open source supply chain is collapsing in on itself. Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.”
Key Takeaways
-
Trust but Verify: Source code review ≠ artifact review. GitHub repos were clean; PyPI artifacts were malicious.
-
Automation Risk: Security tools in CI/CD pipelines create attack vectors when compromised.
-
Defense in Depth: Single points of failure (maintainer accounts) enable cascading breaches.
-
Kill Chains: Modern attacks leverage multiple stages (credential theft → lateral movement → persistence).
-
Ecosystem Impact: Attacks on foundational packages create exponential downstream damage.
Looking Forward
The LiteLLM attack demonstrates that AI infrastructure has become a prime target. As organizations rush to adopt LLM technologies, they must simultaneously harden their security postures. Supply chain attacks are no longer theoretical—they’re actively exploiting the trust relationships that power modern software development.
The age of blind trust in open source packages is over. Organizations must implement rigorous verification, monitoring, and isolation strategies to survive in this new threat landscape.
Article compiled from technical analyses by Endor Labs, JFrog, The Hacker News, and the official LiteLLM GitHub security advisory. Published March 25, 2026.
