Malware - Backdoored LiteLLM Package Exposed by Trivy
Basically, hackers used a security tool to sneak in bad code into a popular Python package.
A backdoored LiteLLM Python package was published by TeamPCP after compromising PyPI credentials via Trivy. Millions of users could be affected. It's crucial to check your installations and stay updated.
What Happened
On March 24, 2026, two versions of the litellm Python package were found to contain malicious code. The versions, 1.82.7 and 1.82.8, were published by a threat actor known as TeamPCP after they obtained the maintainer's PyPI credentials through a compromised Trivy GitHub Action in LiteLLM's CI/CD pipeline. These malicious packages were available for approximately three hours before PyPI quarantined them. With LiteLLM being downloaded roughly 3.4 million times daily, the impact of this incident is significant.
The attack chain began with a compromise of the Trivy GitHub Action, which was exploited to rewrite Git tags. This allowed TeamPCP to publish the backdoored versions of the package, which contained a three-stage malware payload designed to harvest credentials and maintain persistence on infected systems.
How It Works
The malware operates in three stages, starting with information collection. It gathers sensitive data from the infected system, including SSH keys, cloud credentials, and even cryptocurrency wallet information. This data is then encrypted and transmitted to a command-and-control server, models.litellm.cloud, which was registered just a day before the malicious packages were published.
The second stage involves encryption and exfiltration of the collected data, using a combination of AES-256 and RSA encryption. The final stage ensures persistence by writing a backdoor script to the user's configuration directory, allowing the attacker to maintain access even after the initial infection.
Who's Being Targeted
The attack primarily targets users of the LiteLLM package, which is widely utilized in various Python applications. Given that LiteLLM is downloaded millions of times each day, the potential number of affected users is substantial. Developers and organizations relying on this package for their projects are particularly at risk, as the malware can compromise their systems and expose sensitive information.
In addition to individual users, organizations using CI/CD pipelines that incorporate LiteLLM are also vulnerable. The compromise of the Trivy GitHub Action highlights the risks associated with supply chain attacks, where a single weak point can lead to widespread exploitation.
Signs of Infection
Users may notice unusual behavior on their systems, such as unexpected RAM exhaustion or unresponsive applications after installing the litellm package. The presence of the litellm_init.pth file in the site-packages directory is a strong indicator of infection, as this file is used to execute the malicious payload during Python interpreter startup.
If you suspect infection, look for any unauthorized scripts or services running on your system. The backdoor created by the malware can run arbitrary commands, making it essential to monitor system behavior closely.
How to Protect Yourself
To safeguard against this type of attack, it's crucial to verify the integrity of packages before installation. Always check for updates from trusted sources and avoid using packages that have been recently updated without proper vetting. For LiteLLM users, it is recommended to downgrade to version 1.82.6 or earlier until further notice.
Additionally, organizations should implement strict access controls and regularly audit their CI/CD pipelines for vulnerabilities. Monitoring for unusual activity and employing security tools can help detect and mitigate potential threats before they escalate.