LiteLLM Supply Chain Compromise - TeamPCP's Attack Unveiled

The Threat

The recent compromise of LiteLLM, a widely-used AI proxy package, has revealed a significant threat in the cybersecurity landscape. Orchestrated by the criminal group TeamPCP, this multi-ecosystem supply chain attack is one of the most sophisticated documented to date. The attack exploited vulnerabilities in developer tooling and targeted LiteLLM, which serves as a gateway to various LLM providers. This incident not only highlights the risks associated with open-source software but also underscores the potential for credential theft in a connected development environment.

On March 24, 2026, production systems utilizing LiteLLM began experiencing severe issues, including runaway processes and CPU overloads. Investigations revealed that versions 1.82.7 and 1.82.8 of LiteLLM contained malicious code designed to harvest sensitive data such as cloud credentials, SSH keys, and Kubernetes secrets. This three-stage payload enabled attackers to not only steal data but also maintain persistent access through remote code execution.

Who's Behind It

The group behind this attack, TeamPCP, has demonstrated a deep understanding of Python execution models. They have previously compromised security tools like Trivy to escalate their attacks. By leveraging compromised CI/CD pipelines, they published trojanized packages, allowing them to access sensitive information with relative ease. The sophistication of their operations is evident in their ability to adapt their tactics rapidly, ensuring stealth and persistence throughout the attack.

This incident is part of a broader trend where security tools themselves become entry points for attackers. The use of compromised security scanners to facilitate supply chain attacks poses a significant risk to organizations relying on these tools for protection. As seen in this case, when security tools are exploited, they can inadvertently become platforms for credential harvesting, leading to widespread vulnerabilities across various systems.

Tactics & Techniques

The LiteLLM attack involved a well-coordinated effort across multiple platforms, including PyPI, npm, and Docker Hub. The attackers injected malicious code into LiteLLM, which was downloaded millions of times daily. The malicious versions were designed to execute a credential harvesting operation targeting over 50 categories of secrets. This included a lateral movement toolkit for Kubernetes, allowing attackers to compromise entire clusters.

The attack's rapid evolution is particularly notable. Within just 13 minutes, the attackers modified their approach from a targeted code injection to a stealthier method that executed on any Python interpreter startup. This adaptability demonstrates a high level of operational sophistication, allowing them to maximize their impact while minimizing detection risks.

Defensive Measures

In response to the LiteLLM compromise, the open-source community mobilized quickly to mitigate the damage. PyPI removed the compromised versions within hours of the first reports, demonstrating the importance of community vigilance in cybersecurity. BerriAI, the maintainer of LiteLLM, engaged incident response teams to address the breach and assess the impact.

Organizations using LiteLLM and similar tools should review their security practices, particularly regarding CI/CD pipelines and dependency management. Implementing strict access controls, regular audits of third-party packages, and monitoring for unusual activity can help prevent similar incidents in the future. Additionally, fostering a culture of security awareness among developers is crucial in identifying and mitigating potential threats before they escalate.