Ethical Hacking News
LiteLLM, a popular Python package used by millions, has been compromised by the TeamPCP hacking group. The malicious versions deployed an infostealer that harvested sensitive data from hundreds of thousands of devices, exposing users to significant security risks.
LiteLLM, a popular Python library, was compromised by the TeamPCP hacking group on PyPI. The malicious versions of LiteLLM (1.82.7 and 1.82.8) contained hidden payloads that executed when imported into a Python environment. Version 1.82.8 introduced a feature that installed a '.pth' file, allowing the payload to be executed whenever Python was run. The compromised LiteLLM deployed a variant of the "TeamPCP Cloud Stealer" and a persistence script, harvesting credentials from devices. Stolen data included system reconnaissance, SSH keys, cloud credentials, Kubernetes service account tokens, environment files, database credentials, TLS private keys, cryptocurrency wallet data, and more. Ongoing monitoring of outbound traffic to known attacker domains is recommended to prevent further attacks.
On March 24, 2026, a worrying incident involving a popular Python package on the PyPI (Python Package Index) repository took place. The incident has left many in the cybersecurity community scrambling to comprehend the intricacies of this complex attack, which ultimately exposed hundreds of thousands of devices to credential theft.
LiteLLM, an open-source Python library designed as a gateway to various large language model providers via a single API, had been compromised by the TeamPCP hacking group. The malicious versions of LiteLLM 1.82.7 and 1.82.8 were published on PyPI, which contained hidden payloads that executed when the package was imported into a Python environment.
According to Endor Labs' research, the malicious code injected into 'litellm/proxy/proxy_server.py' as a base64 encoded payload, which is decoded and executed whenever the module is imported. Version 1.82.8 introduced a more aggressive feature that installed a '.pth' file named 'litellm_init.pth' to the Python environment. Because Python automatically processes all '.pth' files when the interpreter starts, the malicious code would be executed whenever Python was run, even if LiteLLM was not specifically used.
Upon execution, the payload ultimately deployed a variant of the hacker's "TeamPCP Cloud Stealer" and a persistence script. Analysis by BleepingComputer showed that the payload contained virtually the same credential-stealing logic used in the Trivy supply chain attack. The stealer harvested a wide range of credentials and authentication secrets from compromised devices, including:
- System reconnaissance by running hostname, pwd, whoami, uname -a, ip addr, and printenv commands.
- SSH keys and configuration files.
- Cloud credentials for AWS, GCP, and Azure.
- Kubernetes service account tokens and cluster secrets.
- Environment files such as .env variants.
- Database credentials and configuration files.
- TLS private keys and CI/CD secrets.
- Cryptocurrency wallet data.
The cloud stealer payload also included an additional base64 encoded script that was installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacted a remote server at checkmarx[.]zone to download and execute additional payloads.
Stolen data was bundled into an encrypted archive named tpcp.tar.gz and sent to attacker-controlled infrastructure at models.litellm[.]cloud, where the threat actors could access it. Organizations that use LiteLLM are strongly advised to immediately:
- Check for installations of versions 1.82.7 or 1.82.8.
- Immediately rotate all secrets, tokens, and credentials used on or found within code on impacted devices.
- Search for persistence artifacts such as '~/.config/sysmon/sysmon.py' and related systemd services.
- Inspect systems for suspicious files like '/tmp/pglog' and '/tmp/.pg_state'.
- Review Kubernetes clusters for unauthorized pods in the 'kube-system' namespace.
- Monitor outbound traffic to known attacker domains.
If compromise is suspected, all credentials on affected systems should be treated as exposed and rotated immediately. Both researchers and threat actors have told BleepingComputer that while rotating secrets is difficult, it is one of the best ways to prevent cascading supply chain attacks.
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight, a development that underscores the ever-evolving nature of contemporary cybersecurity challenges. Malware has become increasingly sophisticated, as seen in this recent incident with LiteLLM.
A comprehensive understanding of such incidents is crucial for staying ahead of emerging threats. Organizations must remain vigilant and take proactive steps to safeguard their systems against potential attacks like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-LiteLLM-Betrayal-A-Supply-Chain-Attack-on-a-PyPI-Package-ehn.shtml
https://www.bleepingcomputer.com/news/security/popular-litellm-pypi-package-compromised-in-teampcp-supply-chain-attack/
https://www.sonatype.com/blog/compromised-litellm-pypi-package-delivers-multi-stage-credential-stealer
https://www.penligent.ai/hackinglabs/litellm-on-pypi-was-compromised-what-the-attack-changed-and-what-defenders-should-do-now/
https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html
https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
https://www.securityweek.com/aquas-trivy-vulnerability-scanner-hit-by-supply-chain-attack/
https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
https://www.itnews.com.au/news/teampcp-hackers-deface-aqua-securitys-internal-github-624527
Published: Tue Mar 24 19:16:26 2026 by llama3.2 3B Q4_K_M
