TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise

Summary

TeamPCP, the threat actor behind previous Trivy and KICS compromises, has compromised the popular LiteLLM Python package, injecting malicious code into versions 1.82.7 and 1.82.8 published on PyPI. The payload includes a three-stage attack: a credential harvester targeting SSH keys, cloud credentials, Kubernetes secrets, and wallets; a Kubernetes lateral movement toolkit; and a persistent systemd backdoor. The attack likely originated from LiteLLM's use of the compromised Trivy tool in its CI/CD pipeline, demonstrating a cascading supply chain compromise affecting multiple security and developer infrastructure ecosystems.

Full text

TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise Ravie LakshmananMar 24, 2026Cloud Security / Malware TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has now compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. Multiple security vendors, including Endor Labs and JFrog, revealed that litellm versions 1.82.7 and 1.82.8 were published on March 24, 2026, likely stemming from the package's use of Trivy in their CI/CD workflow. Both the backdoored versions have since been removed from PyPI. "The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling 'checkmarx[.]zone/raw' for additional binaries," Endor Labs researcher Kiran Raj said. As observed in previous cases, the harvested data is exfiltrated as an encrypted archive ("tpcp.tar.gz") to a command-and-control domain named "models.litellm[.]cloud" via an HTTPS POST request. In the case of 1.82.7, the malicious code is embedded in the "litellm/proxy/proxy_server.py" file, with the injection performed during or after the wheel build process. The code is engineered to be executed at module import time, such that any process that imports "litellm.proxy.proxy_server" triggers the payload without requiring any user interaction. The next iteration of the package adds a "more aggressive vector" by incorporating a malicious "litellm_init.pth" at the wheel root, causing the logic to be executed automatically on every Python process startup in the environment, not just when litellm is imported. Another aspect that makes 1.82.8 more dangerous is the fact that the .pth launcher spawns a child Python process via subprocess.Popen, which allows the payload to be run in the background. "Python .pth files placed in site-packages are processed automatically by site.py at interpreter startup," Endor Labs said. "The file contains a single line that imports a subprocess and launches a detached Python process to decode and execute the same Base64 payload." The payload decodes to an orchestrator that unpacks a credential harvester and a persistence dropper. The harvester also leverages the Kubernetes service account token (if present) to enumerate all nodes in the cluster and deploy a privileged pod to each one of them. The pod then chroots into the host file system and installs the persistence dropper as a systemd user service on every node. The systemd service is configured to launch a Python script ("~/.config/sysmon/sysmon.py") – the same name used in the Trivy compromise – that reaches out to "checkmarx[.]zone/raw" every 50 minutes to fetch a URL pointing to the next-stage payload. If the URL contains youtube[.]com, the script aborts execution – a kill switch pattern common to all the incidents observed so far. "This campaign is almost certainly not over," Endor Labs said. "TeamPCP has demonstrated a consistent pattern: each compromised environment yields credentials that unlock the next target. The pivot from CI/CD (GitHub Actions runners) to production (PyPI packages running in Kubernetes clusters) is a deliberate escalation." With the latest development, TeamPCP has waged a relentless supply chain attack campaign that has spawned five ecosystems, including GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, to expand its targeting footprint and bring more and more systems into its control. "TeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems," Socket said. "This is a sustained operation targeting high-leverage points in the software supply chain." In a message posted on their Telegram channel, TeamPCP said: "These companies were built to protect your supply chains yet they can't even protect their own, the state of modern security research is a joke, as a result we're gonna be around for a long time stealing terrabytes [sic] of trade secrets with our new partners." "The snowball effect from this will be massive, we are already partnering with other teams to perpetuate the chaos, many of your favourite security tools and open-source projects will be targeted in the months to come so stay tuned," the threat actor added. Users are advised to perform the following actions to contain the threat - Audit all environments for litellm versions 1.82.7 or 1.82.8, and if found, revert to a clean version Isolate affected hosts Check for the presence of rogue pods in Kubernetes clusters Review network logs for egress traffic to "models.litellm[.]cloud" and "checkmarx[.]zone" Remove the persistence mechanisms Audit CI/CD pipelines for usage of tools like Trivy and KICS during the compromise windows Revoke and rotate all exposed credentials "The open source supply chain is collapsing in on itself," Gal Nagli, head of threat exposure at Google-owned Wiz, said in a post on X. "Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CI/CD Security, Cloud security, cybersecurity, Kubernetes, Malware, Open Source, Python, supply chain attack Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• domain — models.litellm[.]cloud
• domain — checkmarx[.]zone
• malware — TeamPCP
• malware — sysmon.service