Feed
CriticalPublished 24 Mar 20261 package · 2 versions

LiteLLM PyPI backdoored as TeamPCP cascade reaches Python

Summary

TeamPCP used credentials harvested from the Trivy compromise to publish trojanised litellm 1.82.7 and 1.82.8 to PyPI on 24 March 2026 (~10:39 and 10:52 UTC). Malicious wheels drop a litellm_init.pth file in site-packages, executing a credential stealer at every Python interpreter start. PyPI quarantined the packages ~40 minutes after publication. Attackers later claimed ~500,000 credentials from this single compromise. LiteLLM averages ~3M daily downloads and ships in ~36% of cloud environments.

credential-theftinfostealerci-cd-compromisemaintainer-takeover
Threat actor
TeamPCP
Detected by
PyPI Security · JFrog · Microsoft Threat Intelligence
Also known as
TeamPCP LiteLLM cascade
Ecosystems
PyPI
Packages tracked
1

What happened

On 2026-03-24 at approximately 10:39 UTC and 10:52 UTC, TeamPCP published trojanised litellm versions 1.82.7 and 1.82.8 to PyPI. Access was obtained using a BerriAI maintainer token harvested from the upstream Trivy compromise on 2026-03-19. PyPI quarantined the releases roughly 40 minutes after the first publication, but litellm averages ~3M daily downloads and is present in an estimated ~36% of cloud environments running LLM workloads, so the practical exposure is large.

Persistence trick

The malicious wheels include a litellm_init.pth file alongside the legitimate code. Python's site module executes .pth files at every interpreter start, so the stealer runs whenever any Python script on the host starts — not only on import litellm. The implant also writes a sysmon.service user systemd unit, drops binaries at /tmp/pglog, and stages payloads in ~/.config/sysmon/.

Capabilities

  • Harvests environment variables, SSH keys, ~/.aws/, ~/.config/gcloud/, Azure CLI tokens, kubeconfigs, and discovered DB password files.
  • On detected Kubernetes hosts, deploys privileged pods named node-setup-* in kube-system for cluster-wide lateral movement.
  • Exfiltrates to models.litellm.cloud (a typosquat of the legitimate litellm.ai) with checkmarx.zone as fallback.

Scale

TeamPCP later claimed ~500,000 credentials harvested across the broader cascade, with LiteLLM described as the highest-yield single hop because .pth execution snares secrets from any unrelated Python tooling on the same host. PyPI, BerriAI, and JFrog jointly published IoCs and a remediation playbook on 2026-03-24 and 2026-03-25.

Affected packages (1)

  • PyPIlitellm
    1.82.71.82.8

Impact

  • Env vars, SSH keys, AWS/GCP/Azure credentials, K8s tokens, DB passwords harvested
  • .pth file ensures execution on every interpreter init, not only on install
  • Privileged K8s pod deployment for cluster-wide lateral movement
  • systemd user persistence (sysmon.service)

What to do

  1. 1Downgrade to litellm1.82.6 or upgrade to a clean post-incident release
  2. 2Delete litellm_init.pth from site-packages and rotate every reachable secret
  3. 3Remove the sysmon.service systemd user unit and /tmp/pglog, ~/.config/sysmon/
  4. 4Remove rogue node-setup-* pods in kube-system and rotate cluster credentials
  5. 5Block models.litellm.cloud and checkmarx.zone at the network edge

References

pypi-2026-03-24-litellm-teampcp