π―TeamPCP hacked a popular library used by many developers, allowing them to steal important passwords and keys stored on developers' computers. This shows how important it is to keep our coding tools safe.
What Happened
LiteLLM, a widely used open-source Python library, has fallen victim to a malicious attack by TeamPCP. This library, which translates API requests for various Large Language Models, is present in 36% of cloud environments, making its compromise particularly concerning. On March 24, 2026, malicious versions 1.82.7 and 1.82.8 were published on PyPI, injecting infostealer malware that activated when developers installed or updated the package. The malware systematically harvested sensitive data from developer machines, including cloud credentials for AWS, Azure, and GCP, SSH keys, and Docker configurations. PyPI removed the malicious packages within hours of detection, but the damage window was significant, affecting numerous users.
The attack utilized Python's .pth file mechanism to execute arbitrary code during the interpreter's initialization. This stealthy method allowed the malware to run without direct invocation of LiteLLM, making detection challenging. By the time the packages were removed, they had already begun exfiltrating sensitive data from affected systems.
Who's Being Targeted
The primary targets of this malware are organizations utilizing LiteLLM in their cloud environments. Given its prevalence, the impact is potentially widespread. The malicious payload is designed to collect sensitive information, including cloud credentials, SSH keys, and CI/CD secrets. This data is crucial for maintaining security in cloud infrastructures, and its theft can lead to severe security breaches. GitGuardian's analysis revealed that 1,705 PyPI packages were configured to automatically pull the compromised LiteLLM versions as dependencies. Popular packages like dspy (5 million monthly downloads), opik (3 million), and crawl4ai (1.4 million) would have triggered malware execution during installation. This cascade effect means that organizations that never directly used LiteLLM could still be compromised through transitive dependencies.
Signs of Infection
Indicators of infection include unexpected behavior in Python environments where LiteLLM is used. If users notice unusual API requests or unauthorized access to cloud services, it may be a sign that the malware is active. The malicious versions of LiteLLM execute a double base64-encoded payload, which can lead to data exfiltration without detection.
Furthermore, the malware collects various sensitive data types, including environment variables and database credentials. This extensive data collection mimics previous attacks seen in the KICS operation, indicating a pattern in TeamPCP's tactics. Developer machines are particularly attractive targets due to the dense concentration of plaintext credentials that accumulate in source trees, local config files, and debug output.
How to Protect Yourself
To mitigate the risks associated with this malware, users should immediately check for the presence of the malicious LiteLLM versions in their environments. Monitoring tools like the Wiz Threat Center can provide guidance on identifying compromised packages and assessing the potential impact. Users are encouraged to: By taking these proactive steps, organizations can better protect themselves against similar attacks in the future. Vigilance and prompt action are essential in the fight against evolving malware threats.
Detection
- 1.Regularly audit their Python packages and dependencies.
- 2.Implement strict access controls for sensitive cloud resources.
- 3.Utilize tools like ggshield to scan local repositories for credentials that may have slipped into code or lingered in Git history.
Removal
- 4.Treat developer machines as critical infrastructure and apply governance discipline similar to that used for production systems.
- 5.Move credentials into a centralized vault infrastructure to manage access and rotation policies.
The LiteLLM incident underscores the critical need for organizations to secure developer endpoints, as they are often the primary targets for attackers seeking to harvest sensitive credentials.
