Malware - TeamPCP Backdoors LiteLLM Versions via Trivy Compromise
Basically, a hacker group added malicious code to a popular software package to steal sensitive information.
TeamPCP has backdoored LiteLLM versions 1.82.7 and 1.82.8, embedding malware that steals credentials. This poses a significant risk to users and their environments. Immediate action is required to mitigate the threat.
What Happened
TeamPCP, a notorious threat actor, has successfully compromised two versions of a popular Python package called litellm. Versions 1.82.7 and 1.82.8 were found to contain malicious code, which was likely introduced through the use of Trivy in the CI/CD pipeline. This compromise allows attackers to deploy a credential harvester and a backdoor that can infiltrate Kubernetes environments.
The malicious versions were published on March 24, 2026, and have since been removed from the Python Package Index (PyPI). Security vendors such as Endor Labs and JFrog have confirmed the presence of a three-stage attack embedded within these versions. The attack begins with a credential harvester that targets SSH keys, cloud credentials, and more, followed by a toolkit for lateral movement within Kubernetes clusters.
Who's Being Targeted
The attack primarily targets users of the litellm package, particularly those utilizing it within Kubernetes environments. Given the nature of the malware, it poses a significant risk to organizations that rely on this package for their cloud infrastructure. The implications extend beyond individual users, as compromised credentials can lead to further attacks on other systems and services.
As TeamPCP has demonstrated a pattern of escalating their attacks, the threat is not limited to just litellm users. Organizations that utilize CI/CD tools like Trivy and KICS are also at risk, as these tools were exploited to facilitate the compromise. This broadens the attack surface, potentially impacting thousands of environments.
Signs of Infection
Indicators of infection include unexpected egress traffic to domains like models.litellm.cloud and checkmarx.zone. Users should also be on the lookout for rogue Kubernetes pods and any unauthorized changes in their CI/CD pipelines. The presence of the malicious code can lead to unauthorized credential harvesting, which is a clear sign that the environment has been compromised.
Additionally, the malicious payload is designed to execute automatically upon importing the litellm package, making it difficult to detect without thorough auditing. Organizations must remain vigilant and conduct regular security assessments to identify any signs of compromise.
How to Protect Yourself
To mitigate the risks associated with this malware, users should take immediate action. First, audit all environments for the affected litellm versions and revert to a clean version if found. Isolating affected hosts and checking for rogue pods in Kubernetes clusters is crucial.
Reviewing network logs for suspicious traffic is also essential. Organizations should remove any persistence mechanisms established by the malware and audit their CI/CD pipelines for vulnerabilities. Lastly, revoking and rotating all exposed credentials will help to prevent further exploitation.
As TeamPCP continues its campaign targeting security tools and open-source projects, staying informed and proactive is key to safeguarding your systems.
The Hacker News