LiteLLM Versions 1.82.7 and 1.82.8 Injected with Credential-Stealing Malware
Two versions of the popular LiteLLM Python library, a tool with 97 million monthly downloads, were compromised in a supply chain attack that risks the theft of cryptocurrency wallets and cloud credentials. On March 24, a threat actor known as TeamPCP published malicious versions 1.82.7 and 1.82.8 to the Python Package Index (PyPI). The embedded malware is a multi-stage payload designed to harvest sensitive data, including SSH keys, Kubernetes secrets, and private keys for crypto wallets, from any environment where the compromised packages are installed.
The second malicious version, 1.82.8, introduced a more aggressive attack vector using a .pth file. This technique allows the malicious code to execute automatically whenever the Python interpreter starts, rather than waiting for the LiteLLM library to be explicitly imported by a developer's code. This significantly expands the attack's reach and ability to persist on an infected system.
CI/CD Pipeline Breach via Trivy Scanner Enabled Attack
The compromise of LiteLLM was not a direct assault but a cascading failure originating from its development infrastructure. Attackers first subverted Trivy, an open-source vulnerability scanner used in LiteLLM's continuous integration/continuous delivery (CI/CD) pipeline. By publishing malicious Trivy releases on March 19 and March 22, TeamPCP exploited a misconfiguration to steal a privileged access token for LiteLLM's project.
With the stolen credentials, the attackers were able to publish the backdoored LiteLLM packages directly to PyPI. Security researchers found that the harvested data was being sent as an encrypted archive to an attacker-controlled command-and-control domain, models.litellm[.]cloud. A persistent backdoor was also installed to poll a separate domain, checkmarx[.]zone, every 50 minutes for new commands or payloads, indicating a long-term intrusion strategy.
TeamPCP Vows Further Attacks, Escalating Supply Chain Risk
The LiteLLM incident is part of a deliberate and escalating campaign by TeamPCP targeting critical developer infrastructure. The group has openly taken credit for the attack on its Telegram channel, stating its intent to continue targeting popular tools and perpetuating the chaos. This elevates the incident from a single project's breach to a systemic threat against the open-source software supply chain.
The open source supply chain is collapsing in on itself. Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.
— Gal Nagli, Head of Threat Exposure at Google-owned Wiz.
This cycle of compromise, where stolen credentials from one attack are used to launch the next, creates a significant snowball effect. For investors and developers in the Web3 space, this attack undermines trust in the security of foundational development tools and increases the operational risk for projects that rely on the open-source ecosystem.
