TeamPCP Supply Chain Attack - LiteLLM Packages Compromised

What Happened

On March 24, 2026, the cybercriminal group known as TeamPCP compromised two versions of the LiteLLM library on the Python Package Index (PyPI). These versions, 1.82.7 and 1.82.8, contained malicious code designed to steal credentials and deploy additional malware. This incident is part of a broader series of supply chain attacks targeting popular open-source tools, which has raised significant concerns in the cybersecurity community.

The compromised LiteLLM library is crucial for applications that switch between various large language models (LLMs). By infiltrating this library, TeamPCP exploited its position to access sensitive data, including API keys and environment variables. This method allows attackers to intercept valuable information without needing to breach upstream systems directly.

Who's Behind It

The TeamPCP group has gained notoriety for its sophisticated supply chain attacks, which have increasingly targeted developers and cloud environments. Their strategy involves compromising maintainer accounts and pushing malicious workflows, as seen in previous attacks on other tools like Aqua’s Trivy and CheckMarx’s VS Code extensions. The attackers capitalize on the trust users place in open-source software, making their operations particularly effective.

In the case of LiteLLM, the attack followed a pattern established in earlier incidents, indicating a well-coordinated effort to exploit vulnerabilities in the software development lifecycle. The group’s approach suggests a broad targeting strategy, aiming to disrupt the development processes of organizations leveraging open-source solutions for AI applications.

What Data Was Exposed

The compromised LiteLLM packages allowed attackers to potentially exfiltrate sensitive configuration data. This includes:

• API keys
• Environment variables
• SSH keys and cloud tokens
• CI/CD secrets
• Crypto wallets

Given the library's role in facilitating communication between applications and AI service providers, the impact of this breach could be severe for organizations that rely on LiteLLM. The malware embedded in the packages was designed to operate stealthily, making it difficult for users to detect its presence until significant damage was done.

What You Should Do

Organizations that have installed or executed the compromised LiteLLM versions should take immediate action. Here are the recommended steps:

1. Identify and remove the malicious LiteLLM packages from affected systems.
2. Rotate all potentially exposed credentials, including API keys and SSH tokens.
3. Conduct a thorough investigation to uncover any persistence mechanisms or additional payloads that may have been dropped during the compromise.
4. In many cases, it may be safest to rebuild affected systems from a known clean state to ensure complete removal of the malware.

The removal of the malicious packages from PyPI does not eliminate the risks associated with this attack. Organizations must remain vigilant and proactive in safeguarding their development environments against similar threats in the future.