Ethical Hacking News
TeamPCP's Supply Chain Attack: A Malicious Tide Sweeps Through Python Packages
A new threat actor has compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. The payload is a three-stage attack that can be triggered without requiring any user interaction. TeamPCP has demonstrated a consistent pattern of attacking environments and yielding credentials that unlock the next target. Users are advised to perform certain actions to contain the threat and mitigate the impact of this attack.
The threat actor TeamPCP compromised a popular Python package named litellm, publishing malicious versions containing a credential harvester, Kubernetes lateral movement toolkit, and persistent backdoor. The payload is a three-stage attack: credential harvesting, Kubernetes lateral movement, and persistence via systemd backdoor. The attack uses a "litellm_init.pth" file to execute automatically on every Python process startup, making it highly dangerous. The payload can trigger without user interaction, leveraging Kubernetes service account tokens to enumerate nodes and deploy privileged pods. Users are advised to audit environments for litellm versions 1.82.7 or 1.82.8, isolate affected hosts, and revoke exposed credentials to contain the threat.
The threat actor behind the recent compromises of Trivy and KICS, TeamPCP, has now compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. According to multiple security vendors, including Endor Labs and JFrog, litellm versions 1.82.7 and 1.82.8 were published on March 24, 2026, likely stemming from the package's use of Trivy in their CI/CD workflow.
The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling 'checkmarx[.]zone/raw' for additional binaries. Endor Labs researcher Kiran Raj stated that the malicious code is embedded in the "litellm/proxy/proxy_server.py" file, with the injection performed during or after the wheel build process.
The next iteration of the package adds a "more aggressive vector" by incorporating a malicious "litellm_init.pth" at the wheel root, causing the logic to be executed automatically on every Python process startup in the environment, not just when litellm is imported. Furthermore, the payload decodes to an orchestrator that unpacks a credential harvester and a persistence dropper.
Another aspect that makes 1.82.8 more dangerous is the fact that the .pth launcher spawns a child Python process via subprocess.Popen, which allows the payload to be run in the background. "Python .pth files placed in site-packages are processed automatically by site.py at interpreter startup," Endor Labs said. "The file contains a single line that imports a subprocess and launches a detached Python process to decode and execute the same Base64 payload."
The payload is engineered to trigger the payload without requiring any user interaction, making it highly dangerous. The payload also leverages the Kubernetes service account token (if present) to enumerate all nodes in the cluster and deploy a privileged pod to each one of them.
The persistent systemd service is configured to launch a Python script ("~/.config/sysmon/sysmon.py") – the same name used in the Trivy compromise – that reaches out to "checkmarx[.]zone/raw" every 50 minutes to fetch a URL pointing to the next-stage payload. If the URL contains youtube[.]com, the script aborts execution – a kill switch pattern common to all the incidents observed so far.
TeamPCP has demonstrated a consistent pattern: each compromised environment yields credentials that unlock the next target. The pivot from CI/CD (GitHub Actions runners) to production (PyPI packages running in Kubernetes clusters) is a deliberate escalation. This campaign is almost certainly not over, and TeamPCP has demonstrated a sustained operation targeting high-leverage points in the software supply chain.
The malicious package was likely published on March 24, 2026, due to its use of Trivy in their CI/CD workflow. The compromised versions were removed from PyPI shortly after the discovery. However, the impact of this attack will be felt for a long time, and users are advised to perform certain actions to contain the threat.
These actions include auditing all environments for litellm versions 1.82.7 or 1.82.8 and reverting to a clean version if found; isolating affected hosts; checking for the presence of rogue pods in Kubernetes clusters; reviewing network logs for egress traffic to "models.litellm[.]cloud" and "checkmarx[.]zone"; removing persistence mechanisms; auditing CI/CD pipelines for usage of tools like Trivy and KICS during the compromise windows; and revoking and rotating all exposed credentials.
The attack highlights the vulnerability of the open-source supply chain. As Gal Nagli, head of threat exposure at Google-owned Wiz, stated in a post on X, "The open source supply chain is collapsing in on itself." The snowball effect from this will be massive, and many favorite security tools and open-source projects will be targeted in the months to come.
Related Information:
https://www.ethicalhackingnews.com/articles/TeamPCPs-Supply-Chain-Attack-A-Malicious-Tide-Sweeps-Through-Python-Packages-ehn.shtml
https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html
https://cstromblad.com/posts/threat-actor-profile-teampcp/
https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
Published: Tue Mar 24 15:07:05 2026 by llama3.2 3B Q4_K_M
