LiteLLM PyPI compromise: Everything we know so far

Hackers linked to the TeamPCP threat group have reportedly compromised a Python package with more than 95 million monthly downloads.

LiteLLM is a widely used open source library that lets developers route requests across large language model (LLM) providers through a single API.

According to researchers at Endor Labs, versions 1.82.7 and 1.82.8 on PyPI contain malicious code not present in the upstream GitHub repository.

Both versions include a backdoored file that decodes and executes a hidden payload the moment the file is imported; and version 1.82.8 goes even further, installing a .pth file that runs the payload on any Python invocation, even if litellm is never imported.

The attackers are able to harvest credentials such as SSH keys, cloud tokens, Kubernetes secrets, crypto wallets, and .env files, and attempt lateral movement across Kubernetes clusters by deploying privileged pods to every node.

Researchers also warned that threat actors are able to install a persistent systemd backdoor that polls for additional binaries. The stolen data is then encrypted and sent to an attacker-controlled domain.

"The infrastructure and tradecraft match TeamPCP, the actor behind a month-long supply chain campaign that has now crossed five ecosystems: GitHub Actions, Docker Hub, npm (CanisterWorm), OpenVSX, and PyP," said Endor researcher Kiran Raj.

"The pattern is deliberate. TeamPCP has recently targed security-adjacent tools, including Aqua Security's Trivy, a vulnerability scanner, and Checkmarx's KICS, an IaC analyzer, and now an LLM proxy. These tools run in environments that are likely to contain valuable credentials and other secrets, so compromising them gives the attacker broad access."

Malicious LiteLLM versions removed

Both malicious LiteLLM versions have now been removed from PyPI. Users are advised to check whether they're running one of the affected versions, and, for 1.82.8 specifically, also check for the .pth file in site-packages.

They should search for persistence artifacts such as '~/.config/sysmon/sysmon.py' and related systemd services, and inspect systems for suspicious files such as '/tmp/pglog' and '/tmp/.pg_state'.

Finally, they should check for attacker pods in Kubernetes clusters where Litellm was deployed, and monitor outbound traffic to known attacker domains.

If compromise is suspected, all credentials on affected systems should be treated as exposed and rotated immediately.

LiteLLM breach linked to Trivy compromise

The breach appears to be linked to the recent compromise of Trivy, in which the abuse of a trusted vulnerability scanner in CI/CD pipelines enabled credential theft that was apparently used to poison LiteLLM’s PyPI release chain.

“Compared with previous attacks involving AI tools, this is one of the more serious recent incidents because it was not just an abuse of model behavior, prompt injection, or an application bug. It’s a software supply-chain compromise that led to malicious package publication, credential theft, and persistence on affected hosts," said Cory Michal, CISO at AppOmni.

“What makes it especially notable is that the LiteLLM compromise appears to have been downstream fallout from the earlier Trivy breach, meaning attackers may have used one trusted CI/CD compromise to poison another widely used AI-layer dependency, which is exactly the kind of cascading, transitive risk security teams worry about most."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.