LiteLLM Python Package Hacked by TeamPCP: With Million

Security vendors Endor Labs and JFrog have uncovered a sophisticated backdoor within a widely used open-source Python library. Hosted on the Python Package Index (PyPI), the compromise specifically affects versions 1.82.7 and 1.82.8 of the package. This library, which routes requests across various LLM providers, records over 95 million monthly downloads.

The malicious code was injected directly into the PyPI distribution, bypassing the clean upstream GitHub repository. This supply chain attack is attributed to TeamPCP, a threat actor known for targeting highly privileged developer and security tools.

The infection chain relies on malicious code execution disguised within legitimate library functions. In version 1.82.7, attackers injected a 12-line base64-encoded payload into the litellm/proxy/proxy_server.py file. This code triggers silently upon module import.

Version 1.82.8 escalates the threat by introducing a litellm_init.pth file into the root of the wheel. Because Python automatically processes .pth files placed in site-packages at startup, this secondary vector ensures the payload executes as a background process during any Python invocation in the compromised environment. This means the payload triggers even if litellm is never explicitly imported by the developer’s code.

Affected Package Versions

Note: The last known-clean version is litellm 1.82.6.

Upon execution, the payload initiates an aggressive three-stage attack sequence. The initial orchestrator script unpacks a comprehensive credential harvester designed to systematically sweep the host system.

It targets SSH keys, cloud provider tokens for AWS, GCP, and Azure, database credentials, and cryptocurrency wallets. Extracted secrets are encrypted using a hybrid AES-256-CBC and RSA-4096 scheme and bundled into an archive named tpcp.tar.gz before being exfiltrated to an attacker-controlled domain masquerading as a legitimate project resource.

Beyond credential theft, the malware attempts lateral movement within Kubernetes environments. If the harvester detects a Kubernetes service account token, it rapidly enumerates all cluster nodes and deploys privileged alpine containers to each node using host-level access.

Finally, the malware establishes persistent access by dropping a systemd user service disguised as a system telemetry process. This backdoor continuously polls a secondary command-and-control server to fetch and execute additional binaries.

This breach represents the latest escalation in a sprawling supply chain campaign orchestrated by TeamPCP. Over the past month, the group has successfully compromised five separate ecosystems, including GitHub Actions, Docker Hub, npm, and OpenVSX.

By deliberately targeting infrastructure and security-focused tools such as Aqua Security’s Trivy and Checkmarx’s KICS, the attackers ensure their payloads execute in highly privileged environments rich with production secrets.

Key Indicators of Compromise (IoCs)

Organizations utilizing litellm should immediately audit their environments. If the compromised versions are detected, security teams must treat the environment as fully breached and initiate a comprehensive credential rotation protocol.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.