A critical software supply chain attack hit the Python ecosystem on March 24, 2026, when the widely used LiteLLM library was compromised on PyPI. Malicious versions 1.82.7 and 1.82.8 of the library, downloaded over 95 million times monthly, became a backdoor for systems, potentially exposing 36% of cloud environments. The TeamPCP hacking group is responsible for the breach, which deployed an advanced infostealer and persistent backdoor on affected machines.[xda-developers+5]
Hackers Steal Credentials and Plant Backdoors
The TeamPCP group pushed the malicious versions of LiteLLM to PyPI, the Python Package Index, on March 24, 2026.Security researchers from Endor Labs and SafeDep quickly identified the threat.The compromised packages were available for approximately three hours before PyPI quarantined them, containing code designed to steal sensitive data.The malware systematically collected a wide range of credentials from host systems. This included SSH keys, cloud provider credentials for Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.Attackers also targeted Kubernetes secrets, environment variables, Docker configurations, database credentials, and even cryptocurrency wallets.[xda-developers+20]
LiteLLM is a popular open-source Python library. It acts as a universal translator for over 100 different Large Language Models (LLMs), converting API requests into a standard OpenAI format.Its deep integration into AI development workflows makes it a particularly valuable target. LiteLLM often operates in environments rich with API keys, cloud credentials, and sensitive configuration data.The library boasts more than 40,000 stars on GitHub and sees an astounding 3.4 million daily downloads, with over 95 million downloads in the past month.Wiz data shows LiteLLM is present in 36% of cloud environments, signifying the potential for widespread impact.[xda-developers+12]
How the Attack Unfolded
The attack employed two distinct methods to deliver its malicious payload. In version 1.82.7, the attackers embedded the malicious code within the `litellm/proxy/proxy_server.py` file. This code would execute as soon as a user imported the LiteLLM module.For version 1.82.8, threat actors escalated the danger significantly. They added a malicious `.pth` file, named `litellm_init.pth`, to the package.Python's `.pth` files are a mechanism that allows arbitrary code to run during the interpreter's initialization. This means the payload would execute automatically every time Python started on a machine, even if a user never explicitly imported the LiteLLM library.[bleepingcomputer+16]
Once triggered, the malware initiated a sophisticated, multi-stage infection chain. The initial loader executed a credential-harvesting script that systematically collected sensitive data from the host system.Beyond data theft, the malware also attempted lateral movement within Kubernetes clusters. It did this by deploying privileged pods across all nodes in a cluster, which mounted the host filesystem.Finally, the malware installed a persistent backdoor. This backdoor, disguised as a "System Telemetry Service" using systemd, periodically contacted a command-and-control (C2) server to fetch and execute additional payloads.The harvested data was encrypted using a hybrid scheme, bundled into a `tpcp.tar.gz` archive, and exfiltrated to an attacker-controlled domain.[endorlabs+17]
TeamPCP's Expanding Campaign
The compromise of LiteLLM is not an isolated incident. It marks the latest event in a broader, month-long supply chain campaign orchestrated by the TeamPCP hacking group.TeamPCP is a financially motivated threat actor that emerged in late 2025. The group is known for targeting cloud-native infrastructure through exposed CI/CD pipelines, Docker APIs, and Kubernetes clusters.Their strategy involves leveraging credentials stolen from cloud workloads and GitHub Actions runners via memory scrapers.[endorlabs+3]
Just days before the LiteLLM incident, TeamPCP compromised Aqua Security's Trivy vulnerability scanner on March 19, 2026.They also targeted Checkmarx's KICS GitHub Action on March 23.The PyPI advisory identified that an API token exposed during the earlier Trivy incident was the likely root cause for the LiteLLM compromise. This token was stolen via a compromised Trivy GitHub Action in LiteLLM's CI/CD pipeline.Endor Labs stated, "The infrastructure and tradecraft match TeamPCP, the actor behind a month-long supply chain campaign that has now crossed five ecosystems."This pattern includes GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI.The group's consistent playbook involves compromising maintainer accounts or credentials, pushing malicious versions to package registries, and deploying multi-stage credential stealers.TeamPCP has also been linked to the CanisterWorm malware, which targeted the npm ecosystem and deployed a persistent Python backdoor that uses a decentralized blockchain network for command-and-control, making it harder to take down.[xda-developers+13]
Community Response and Future Risks
The Python community and security researchers acted swiftly to the threat, leading to the rapid quarantine and removal of the malicious LiteLLM packages from PyPI.This incident underscores the ongoing and evolving risks inherent in software supply chains. A single compromised dependency can have far-reaching and devastating consequences across numerous systems and organizations.Security firms like ReversingLabs reported a significant 73% increase in detections of malicious open-source packages in 2025 alone.[wiz+4]
The Python Software Foundation has been actively working to enhance PyPI security. In 2025, they introduced mandatory two-factor authentication for all maintainers of critical packages to help combat such attacks.They also improved ZIP file security, implemented typosquatting detection, and enhanced phishing protection.[medium+2]
Organizations and developers using LiteLLM versions 1.82.7 or 1.82.8 should take immediate action. They must rotate all potentially compromised credentials, including SSH keys, cloud tokens, Kubernetes secrets, and any other sensitive access data.Additionally, they should conduct thorough scans of their systems for any signs of compromise or persistent backdoors. This incident serves as a stark reminder that continuous vigilance, robust security practices, and proactive measures are essential in defending against sophisticated and rapidly evolving supply chain threats.[safedep+1]
