LiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers

Home Cyber Security News LiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers A widely used open-source Python library was compromised on the Python Package Index (PyPI). Versions 1.82.7 and 1.82.8 of the package, which route requests across various LLM providers and have over 95 million monthly downloads, were found to contain a sophisticated backdoor by security vendors Endor Labs and JFrog. The malicious code was injected directly into the PyPI distribution, bypassing the clean upstream GitHub repository. This supply chain attack is attributed to TeamPCP, a threat actor known for targeting highly privileged developer and security tools. The infection chain relies on malicious code execution disguised within legitimate library functions. In version 1.82.7, attackers injected a 12-line base64-encoded payload into the litellm/proxy/proxy_server.py file. This code triggers silently upon module import. Version 1.82.8 escalates the threat by introducing a litellm_init.pth file into the root of the wheel. Because Python automatically processes .pth files placed in site-packages at startup, this secondary vector ensures the payload executes as a background process during any Python invocation in the compromised environment. This means the payload triggers even if litellm is never explicitly imported by the developer’s code. Affected Package Versions Package Name Version Publication Date Injection Vector Status litellm 1.82.7 2026-03-24 proxy_server.py (import-time) Removed litellm 1.82.8 2026-03-24 proxy_server.py + litellm_init.pth (interpreter startup) Removed Note: The last known-clean version is litellm 1.82.6. Upon execution, the payload initiates an aggressive three-stage attack sequence. The initial orchestrator script unpacks a comprehensive credential harvester designed to systematically sweep the host system. It targets SSH keys, cloud provider tokens for AWS, GCP, and Azure, database credentials, and cryptocurrency wallets. Extracted secrets are encrypted using a hybrid AES-256-CBC and RSA-4096 scheme and bundled into an archive named tpcp.tar.gz before being exfiltrated to an attacker-controlled domain masquerading as a legitimate project resource. Beyond credential theft, the malware attempts lateral movement within Kubernetes environments. If the harvester detects a Kubernetes service account token, it rapidly enumerates all cluster nodes and deploys privileged alpine containers to each node using host-level access. Finally, the malware establishes persistent access by dropping a systemd user service disguised as a system telemetry process. This backdoor continuously polls a secondary command-and-control server to fetch and execute additional binaries. This breach represents the latest escalation in a sprawling supply chain campaign orchestrated by TeamPCP. Over the past month, the group has successfully compromised five separate ecosystems, including GitHub Actions, Docker Hub, npm, and OpenVSX. By deliberately targeting infrastructure and security-focused tools such as Aqua Security’s Trivy and Checkmarx’s KICS, the attackers ensure their payloads execute in highly privileged environments rich with production secrets. Key Indicators of Compromise (IoCs) Indicator Type Description models.litellm.cloud C2 Domain Exfiltration endpoint for encrypted credential archives checkmarx.zone/raw C2 Endpoint Payload delivery domain for the persistent backdoor ~/.config/systemd/user/sysmon.service Filesystem Persistent systemd unit hiding the backdoor tpcp.tar.gz Archive Named archive containing exfiltrated host data node-setup-* Kubernetes Privileged attacker pods deployed in the kube-system namespace Organizations utilizing litellm should immediately audit their environments. If the compromised versions are detected, security teams must treat the environment as fully breached and initiate a comprehensive credential rotation protocol. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security Kali Linux 2026.1 Released With 8 New Hacking Tools Cyber Attack News Aqua Security’s Trivy Scanner Compromised in Supply Chain Attack Cyber Security HackerOne Data Breach – Employees Data Stolen Following Navia Hack Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026