Critical Flaw in LiteLLM Python Package Exposes Data
Key Takeaways A sophisticated supply chain attack has compromised versions 1.82.7 and 1.82.8 of the widely used LiteLLM Python package. The malicious code, injected by the threat actor TeamPCP,...
Key Takeaways
- A sophisticated supply chain attack has compromised versions 1.82.7 and 1.82.8 of the widely used LiteLLM Python package.
- The malicious code, injected by the threat actor TeamPCP, allows for extensive credential harvesting, lateral movement in Kubernetes, and persistent backdoor access.
- The attack bypasses traditional security by injecting directly into PyPI distributions, rather than the upstream GitHub repository.
- Organizations using affected versions must immediately assume a full breach and take aggressive mitigation steps, including credential rotation.
Critical Backdoor Discovered in LiteLLM Python Package
Cybersecurity researchers from Endor Labs and JFrog have identified a critical supply chain compromise affecting the LiteLLM Python library, a popular open-source tool with over 95 million monthly downloads that routes requests to various large language model (LLM) providers. Malicious code was found embedded within specific versions of the package distributed via the Python Package Index (PyPI), enabling a sophisticated multi-stage attack.
Table Of Content
The attack is attributed to TeamPCP, a threat actor group with a history of targeting highly privileged developer and security tools. Notably, the malicious code was injected directly into the PyPI distribution, circumventing the clean upstream GitHub repository, a common tactic in supply chain attacks.
Infection Vectors and Escalation
The compromise involved different infection mechanisms across the two affected versions:
- Version 1.82.7: Attackers inserted a 12-line base64-encoded payload into the
litellm/proxy/proxy_server.pyfile. This code executed silently upon the module’s import. - Version 1.82.8: This version escalated the threat by introducing a
litellm_init.pthfile into the root of the package wheel. Python automatically processes.pthfiles located insite-packagesduring interpreter startup. This ensured the payload executed as a background process with any Python invocation in the compromised environment, even if thelitellmlibrary was never explicitly imported by the developer’s code.
The last known clean version of the litellm package is 1.82.6.
| Package Name | Version | Publication Date | Injection Vector | Status |
|---|---|---|---|---|
| litellm | 1.82.7 | 2026-03-24 | proxy_server.py (import-time) |
Removed |
| litellm | 1.82.8 | 2026-03-24 | proxy_server.py + litellm_init.pth (interpreter startup) |
Removed |
Multi-Stage Attack Sequence and Exfiltration
Once executed, the malicious payload initiates an aggressive three-stage attack. An initial orchestrator script unpacks a comprehensive credential harvester designed to systematically sweep the compromised host. This harvester targets a wide array of sensitive data, including:
- SSH keys
- Cloud provider tokens (AWS, GCP, Azure)
- Database credentials
- Cryptocurrency wallets
Extracted secrets are encrypted using a hybrid AES-256-CBC and RSA-4096 scheme and then bundled into an archive named tpcp.tar.gz. This archive is subsequently exfiltrated to an attacker-controlled domain, models.litellm.cloud, which masquerades as a legitimate project resource.
Beyond credential theft, the malware attempts lateral movement within Kubernetes environments. If a Kubernetes service account token is detected, it rapidly enumerates all cluster nodes and deploys privileged alpine containers to each node using host-level access, identified by the pattern node-setup-* in the kube-system namespace.
Finally, the malware establishes persistent access by dropping a systemd user service disguised as a system telemetry process (~/.config/systemd/user/sysmon.service). This backdoor continuously polls a secondary command-and-control server (checkmarx.zone/raw) to fetch and execute additional binaries, ensuring long-term control over the compromised system.
TeamPCP’s Broader Campaign
This breach is part of a broader, escalating supply chain campaign orchestrated by TeamPCP. Over the past month, the group has successfully compromised five separate ecosystems, including GitHub Actions, Docker Hub, npm, and OpenVSX. Their strategy involves deliberately targeting infrastructure and security-focused tools, such as Aqua Security’s Trivy and Checkmarx’s KICS. This ensures their payloads execute in highly privileged environments, which are typically rich with production secrets and sensitive data.
Key Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
models.litellm.cloud |
C2 Domain | Exfiltration endpoint for encrypted credential archives |
checkmarx.zone/raw |
C2 Endpoint | Payload delivery domain for the persistent backdoor |
~/.config/systemd/user/sysmon.service |
Filesystem | Persistent systemd unit hiding the backdoor |
tpcp.tar.gz |
Archive | Named archive containing exfiltrated host data |
node-setup-* |
Kubernetes | Privileged attacker pods deployed in the kube-system namespace |
What You Should Do
Organizations utilizing the litellm package are urged to take immediate action:
- Audit Environments: Promptly scan and audit all development, staging, and production environments for the presence of
litellmversions 1.82.7 or 1.82.8. - Assume Breach: If either of the compromised versions is detected, treat the environment as fully breached.
- Credential Rotation: Initiate a comprehensive credential rotation protocol for all affected systems. This includes, but is not limited to, SSH keys, cloud provider API keys (AWS, GCP, Azure), database credentials, and any other secrets that may have been exposed.
- Check for IoCs: Scan systems for the presence of the identified Indicators of Compromise (IoCs) to detect signs of active compromise or persistence.
- Upgrade or Downgrade: Immediately upgrade to a patched version of
litellmor downgrade to the last known clean version (1.82.6) if a patched version is not yet available. - Enhanced Monitoring: Increase monitoring for suspicious network traffic, process activity, and file system changes in environments where
litellmis used.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.