SUPPLY CHAIN ATTACK — TEAMPCP CAMPAIGN

LITELLM
BACKDOOR

A poisoned security scanner was used to steal PyPI publishing credentials, injecting a multi-stage credential stealer into one of the world's most downloaded AI libraries — 95 million times per month.

CRITICAL SEVERITY v1.82.7 · v1.82.8 TeamPCP SNYK-PYTHON-LITELLM-15762713 March 24, 2026 · 10:39–13:25 UTC
DOWNLOADS / MONTH
95M
3.4M per day at time of breach
EXPOSURE WINDOW
~3 HRS
10:39 UTC → 13:25 UTC quarantine
CLOUD ENV PRESENCE
36%
of all cloud environments (Wiz)
SUPPRESSION BOTS
88
comments in 102 seconds from 73 accounts
01 Attack Timeline — How It Cascaded
MAR 19, 2026 — STAGE 1
Trivy GitHub Action Hijacked
TeamPCP force-pushed malicious release v0.69.4 into the trivy-action GitHub Action repository. Tags were rewritten to point at malicious commits containing a credential-harvesting payload and C2 exfiltration infrastructure. This became the root of the entire cascade.
MAR 23, 2026 — STAGE 2
Checkmarx KICS Compromised
Same infrastructure hit Checkmarx's KICS (Keep Infrastructure as Code Secure) GitHub Action. The C2 domain checkmarx.zone was registered — a convincing impersonation of the legitimate Checkmarx security company. PyPI tokens from CI environments began accumulating in attacker infrastructure.
MAR 24, 2026 · 10:39 UTC — STAGE 3 (CRITICAL)
LiteLLM CI Ran Unpinned Trivy — Token Stolen
LiteLLM's GitHub Actions CI pipeline used Trivy as a security scanner, pulling it from apt without a pinned version. The compromised Trivy action exfiltrated the PYPI_PUBLISH token from the runner environment. With this credential, attackers published v1.82.7 at 10:39 UTC and the escalated v1.82.8 at 10:52 UTC — uploaded directly to PyPI, bypassing GitHub releases entirely.
MAR 24, 2026 · 12:44–12:46 UTC — COVER-UP
88 Bot Comments in 102 Seconds
When community members surfaced the breach in GitHub issue #24512, attackers deployed 73 previously compromised developer accounts — flooding the thread in under two minutes to suppress disclosure. The hijacked krrishdholakia maintainer account closed the issue as "not planned." Researchers confirmed 76% account overlap with the Trivy suppression botnet. The community reopened tracking via issue #24518 and Hacker News (324 points).
MAR 24, 2026 · 16:00 UTC — CONTAINED
PyPI Quarantine Lifted — Packages Removed
Both malicious versions were yanked from PyPI. LiteLLM officially acknowledged the breach, engaged Google's Mandiant team for forensic analysis, and paused all new releases pending a full supply-chain audit. The Docker proxy image was confirmed unaffected as it pins all dependencies in requirements.txt.
02 Threat Actor Attribution
TEAMPCP
A financially-motivated threat actor executing an aggressive campaign against open-source developer tooling and AI infrastructure. Operating with a consistent playbook: compromise a trusted tool in a CI/CD pipeline, harvest publishing tokens from downstream consumers, inject credential-stealing malware into widely-used packages. The group maintains a sophisticated botnet of compromised developer accounts for suppression operations.
Aqua Security Trivy Checkmarx KICS LiteLLM ← CURRENT Aqua Docker Images OpenVSX Extensions
03 Payload Architecture — Three Stages
STAGE 01 — HARVEST
Mass Credential Exfiltration
Systematically collects SSH keys, AWS/GCP/Azure tokens, Kubernetes secrets, CI/CD environment variables, Docker configs, database credentials, .env files, and cryptocurrency wallets. Data encrypted AES-256 with key wrapped in embedded RSA public key before exfil.
STAGE 02 — SPREAD
Kubernetes Lateral Movement
Attempts to deploy privileged pods named node-setup-* to every node in the cluster. Extracts cluster secrets, service account tokens, and kubeconfig files to maximize blast radius across infrastructure.
STAGE 03 — PERSIST
Systemd Backdoor Installation
Installs a persistent systemd service at sysmon.service that polls checkmarx.zone for additional binaries. Survives reboots. Enables ongoing access long after initial compromise.
Version Escalation
v1.82.7
Published 10:39 UTC
Injected 12 obfuscated, base64-encoded lines into litellm/proxy/proxy_server.py. Payload executes on module import — decodes base64 blob and launches via subprocess. Exfiltrates to checkmarx.zone.
ESCALATED
v1.82.8
Published 10:52 UTC
Adds litellm_init.pth to the Python environment's site-packages. .pth files execute on every Python process start — even if litellm is never imported. Payload now runs for all Python scripts on the machine. Exfiltrates to models.litellm.cloud (attacker-controlled domain).
04 Indicators of Compromise
TYPE INDICATOR SEVERITY
FILE ~/.config/sysmon/sysmon.py CRITICAL
SYSTEMD ~/.config/systemd/user/sysmon.service CRITICAL
PYTHON litellm_init.pth in site-packages/ CRITICAL
K8S POD node-setup-* in kube-system namespace CRITICAL
C2 DOMAIN checkmarx.zone / checkmarx.zone/raw HIGH
C2 DOMAIN models.litellm.cloud HIGH
PKG VERSION litellm==1.82.7 or litellm==1.82.8 CRITICAL
SNYK ID SNYK-PYTHON-LITELLM-15762713 REF
bash — quick-check.sh
$ pip show litellm | grep Version Version: 1.82.8 ← COMPROMISED — TAKE ACTION IMMEDIATELY   $ ls ~/.config/sysmon/sysmon.py 2>/dev/null && echo "INFECTED" || echo "not found" INFECTED   $ kubectl get pods -n kube-system | grep node-setup node-setup-bx9f2 1/1 Running 0 47m ← MALICIOUS POD FOUND   $ find $(python -c "import site; print(site.getsitepackages()[0])") -name "*.pth" | xargs grep -l "litellm" /usr/lib/python3.11/site-packages/litellm_init.pth ← .PTH BACKDOOR FOUND   $ _
05 Incident Response Checklist
01
Verify exposure
Run pip show litellm. Affected if on 1.82.7 or 1.82.8. Also check transitive dependencies — MCP plugins, Cursor IDE, agent frameworks, and LLM orchestration tools may have pulled it in without explicit install.
CRITICAL
02
Remove and purge caches
pip uninstall litellm then pip cache purge or rm -rf ~/.cache/uv to prevent reinstallation from cached wheels.
CRITICAL
03
Rotate all credentials on affected machines
Treat all secrets as compromised: SSH keys, AWS/GCP/Azure tokens, Kubernetes service accounts, kubeconfig files, .env API keys (OpenAI, Anthropic, etc.), database passwords, GitHub tokens, Docker Hub credentials.
CRITICAL
04
Scan for persistence mechanisms
Check ~/.config/sysmon/sysmon.py, ~/.config/systemd/user/sysmon.service, and litellm_init.pth in site-packages. If K8s: audit kube-system for node-setup-* pods and cluster secrets.
CRITICAL
05
Pin to safe version
pip install litellm==1.82.6 — last confirmed clean release. Or upgrade to v1.82.9+ once your team has verified the release provenance.
HIGH
06
Block C2 domains at network level
Block outbound to checkmarx.zone and models.litellm.cloud. Monitor for any historical connections to these domains in your DNS and proxy logs.
HIGH
07
Audit CI/CD pipelines for unpinned security tools
This entire attack chain started because LiteLLM's CI pulled Trivy without a pinned version. Audit all scanner and tool references in your GitHub Actions, Jenkinsfiles, and build scripts. Pin everything. Use PyPI Trusted Publishers to eliminate static API tokens.
MEDIUM