Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/CyberSecurity News/Critical Flaw in LiteLLM Python Package Exposes Data
CyberSecurity News

Critical Flaw in LiteLLM Python Package Exposes Data

Key Takeaways A sophisticated supply chain attack has compromised versions 1.82.7 and 1.82.8 of the widely used LiteLLM Python package. The malicious code, injected by the threat actor TeamPCP,...

Marcus Rodriguez
Marcus Rodriguez
March 25, 2026 4 Min Read
47 0

Key Takeaways

  • A sophisticated supply chain attack has compromised versions 1.82.7 and 1.82.8 of the widely used LiteLLM Python package.
  • The malicious code, injected by the threat actor TeamPCP, allows for extensive credential harvesting, lateral movement in Kubernetes, and persistent backdoor access.
  • The attack bypasses traditional security by injecting directly into PyPI distributions, rather than the upstream GitHub repository.
  • Organizations using affected versions must immediately assume a full breach and take aggressive mitigation steps, including credential rotation.

Critical Backdoor Discovered in LiteLLM Python Package

Cybersecurity researchers from Endor Labs and JFrog have identified a critical supply chain compromise affecting the LiteLLM Python library, a popular open-source tool with over 95 million monthly downloads that routes requests to various large language model (LLM) providers. Malicious code was found embedded within specific versions of the package distributed via the Python Package Index (PyPI), enabling a sophisticated multi-stage attack.

Table Of Content

  • Key Takeaways
  • Critical Backdoor Discovered in LiteLLM Python Package
  • Infection Vectors and Escalation
  • Multi-Stage Attack Sequence and Exfiltration
  • TeamPCP’s Broader Campaign
  • Key Indicators of Compromise (IoCs)
  • What You Should Do

The attack is attributed to TeamPCP, a threat actor group with a history of targeting highly privileged developer and security tools. Notably, the malicious code was injected directly into the PyPI distribution, circumventing the clean upstream GitHub repository, a common tactic in supply chain attacks.

Infection Vectors and Escalation

The compromise involved different infection mechanisms across the two affected versions:

  • Version 1.82.7: Attackers inserted a 12-line base64-encoded payload into the litellm/proxy/proxy_server.py file. This code executed silently upon the module’s import.
  • Version 1.82.8: This version escalated the threat by introducing a litellm_init.pth file into the root of the package wheel. Python automatically processes .pth files located in site-packages during interpreter startup. This ensured the payload executed as a background process with any Python invocation in the compromised environment, even if the litellm library was never explicitly imported by the developer’s code.

The last known clean version of the litellm package is 1.82.6.

Package Name Version Publication Date Injection Vector Status
litellm 1.82.7 2026-03-24 proxy_server.py (import-time) Removed
litellm 1.82.8 2026-03-24 proxy_server.py + litellm_init.pth (interpreter startup) Removed

Multi-Stage Attack Sequence and Exfiltration

Once executed, the malicious payload initiates an aggressive three-stage attack. An initial orchestrator script unpacks a comprehensive credential harvester designed to systematically sweep the compromised host. This harvester targets a wide array of sensitive data, including:

  • SSH keys
  • Cloud provider tokens (AWS, GCP, Azure)
  • Database credentials
  • Cryptocurrency wallets

Extracted secrets are encrypted using a hybrid AES-256-CBC and RSA-4096 scheme and then bundled into an archive named tpcp.tar.gz. This archive is subsequently exfiltrated to an attacker-controlled domain, models.litellm.cloud, which masquerades as a legitimate project resource.

Beyond credential theft, the malware attempts lateral movement within Kubernetes environments. If a Kubernetes service account token is detected, it rapidly enumerates all cluster nodes and deploys privileged alpine containers to each node using host-level access, identified by the pattern node-setup-* in the kube-system namespace.

Finally, the malware establishes persistent access by dropping a systemd user service disguised as a system telemetry process (~/.config/systemd/user/sysmon.service). This backdoor continuously polls a secondary command-and-control server (checkmarx.zone/raw) to fetch and execute additional binaries, ensuring long-term control over the compromised system.

TeamPCP’s Broader Campaign

This breach is part of a broader, escalating supply chain campaign orchestrated by TeamPCP. Over the past month, the group has successfully compromised five separate ecosystems, including GitHub Actions, Docker Hub, npm, and OpenVSX. Their strategy involves deliberately targeting infrastructure and security-focused tools, such as Aqua Security’s Trivy and Checkmarx’s KICS. This ensures their payloads execute in highly privileged environments, which are typically rich with production secrets and sensitive data.

Key Indicators of Compromise (IoCs)

Indicator Type Description
models.litellm.cloud C2 Domain Exfiltration endpoint for encrypted credential archives
checkmarx.zone/raw C2 Endpoint Payload delivery domain for the persistent backdoor
~/.config/systemd/user/sysmon.service Filesystem Persistent systemd unit hiding the backdoor
tpcp.tar.gz Archive Named archive containing exfiltrated host data
node-setup-* Kubernetes Privileged attacker pods deployed in the kube-system namespace

What You Should Do

Organizations utilizing the litellm package are urged to take immediate action:

  • Audit Environments: Promptly scan and audit all development, staging, and production environments for the presence of litellm versions 1.82.7 or 1.82.8.
  • Assume Breach: If either of the compromised versions is detected, treat the environment as fully breached.
  • Credential Rotation: Initiate a comprehensive credential rotation protocol for all affected systems. This includes, but is not limited to, SSH keys, cloud provider API keys (AWS, GCP, Azure), database credentials, and any other secrets that may have been exposed.
  • Check for IoCs: Scan systems for the presence of the identified Indicators of Compromise (IoCs) to detect signs of active compromise or persistence.
  • Upgrade or Downgrade: Immediately upgrade to a patched version of litellm or downgrade to the last known clean version (1.82.6) if a patched version is not yet available.
  • Enhanced Monitoring: Increase monitoring for suspicious network traffic, process activity, and file system changes in environments where litellm is used.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Kali Linux 2026.1 Released, Adds 8 New Hacking Tools

Next Post

FCC bans foreign routers with security flaws

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us