Threat Intel - Malicious LiteLLM Versions Linked to TeamPCP
Basically, hackers modified a popular software to steal sensitive information from users.
Malicious versions of LiteLLM were backdoored by TeamPCP, targeting millions of developers. This supply chain attack steals sensitive credentials and maintains persistent access. Developers should update to safe versions immediately.
The Threat
In a recent supply chain attack, the threat actor known as TeamPCP compromised versions 1.82.7 and 1.82.8 of LiteLLM, a widely used library that helps developers route LLM requests through a single API. This attack is particularly concerning as LiteLLM has over 95 million monthly downloads. The malicious versions were likely backdoored via a breach in the Trivy CI/CD pipeline, allowing attackers to insert harmful code into the software without detection.
The malicious payload is designed to execute automatically when the compromised LiteLLM versions are imported. This means that unsuspecting developers may unknowingly introduce malware into their systems simply by using the library. The attack is characterized by a multi-stage payload that targets sensitive credentials and enables lateral movement within Kubernetes environments.
Who's Behind It
The TeamPCP group has a history of compromising various ecosystems, including GitHub Actions, Docker Hub, and npm. Their tactics typically involve leveraging stolen credentials to gain access to additional targets, creating a cycle of exploitation. The recent LiteLLM attack showcases their ability to pivot across multiple platforms quickly, indicating a well-coordinated and sophisticated operation.
Endor Labs has attributed the attack to TeamPCP with high confidence, citing strong overlaps with previous incidents. Key indicators of compromise include the same command-and-control (C2) domains and persistence techniques used in earlier campaigns. This suggests a pattern of behavior that security professionals should monitor closely.
Tactics & Techniques
The malicious code inserted into LiteLLM is particularly insidious. It includes a credential harvester that scans for sensitive data such as SSH keys, cloud credentials, and Kubernetes secrets. This harvester operates silently, collecting and encrypting stolen data before sending it to a remote server. The attack also features a persistent backdoor that maintains long-term access, allowing attackers to deploy additional payloads at will.
The method of injection was cleverly concealed within the code, making it difficult for developers to detect. The malicious lines were inserted between legitimate code blocks, and the payload is executed through subprocess calls, avoiding detection by common security measures. This level of sophistication highlights the need for vigilance in software supply chain security.
Defensive Measures
To protect against such attacks, developers and organizations should take immediate action. First, ensure that you are using the latest, safe version of LiteLLM, as version 1.82.6 is currently the last known safe release. Regularly audit your dependencies and monitor for any unusual activity within your Kubernetes clusters.
Additionally, implementing strict access controls and monitoring for unauthorized changes in your CI/CD pipelines can help mitigate risks. Educating your development teams about the potential threats posed by supply chain attacks is crucial. The TeamPCP campaign serves as a stark reminder of the vulnerabilities inherent in software development and deployment processes.
Security Affairs