On March 24, 2026, the software development world was rocked by a sophisticated supply chain attack targeting the widely used LiteLLM Python library, a package downloaded more than 95 million times each month. The breach, attributed to the notorious threat actor TeamPCP, marks the latest escalation in a string of attacks that have swept through the open source ecosystem, exposing the vulnerabilities lurking at the heart of modern software pipelines.
LiteLLM, an open source library designed to streamline access to various large language model providers via a single API, is deeply embedded in AI development workflows. Its popularity and integration into environments rich with sensitive data—API keys, cloud credentials, and configuration files—made it a particularly juicy target. According to Endor Labs, two malicious releases, versions 1.82.7 and 1.82.8, were published to PyPI, the Python Package Index. These versions contained credential-stealing malware absent from the project’s official GitHub repository. The last clean release, version 1.82.6, stands as a stark reminder of how quickly trust can be undermined in the open source world.
The attack itself was a masterclass in subtlety and technical cunning. In version 1.82.7, attackers injected just 12 lines of obfuscated code into the litellm/proxy/proxy_server.py file during or after the package’s wheel build process. This code executed automatically when the module was imported, quietly decoding a hefty base64 payload and launching it via a Python subprocess. But TeamPCP didn’t stop there. In version 1.82.8, they upped the ante by adding a litellm_init.pth file at the package root, ensuring the malicious payload would run every time the Python interpreter started—even if LiteLLM itself was never explicitly imported. As Endor Labs explained, “Python .pth files placed in site-packages are processed automatically by site.py at interpreter startup. The file contains a single line that imports a subprocess and launches a detached Python process to decode and execute the same Base64 payload.”
Once triggered, the malware launched a three-stage attack. First, a credential harvester swept up SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes secrets, environment files, database configs, cryptocurrency wallets, and system metadata like IP addresses and routing tables. The harvested data was encrypted using a hybrid scheme and archived as tpcp.tar.gz, before being exfiltrated to an attacker-controlled domain—specifically, models.litellm.cloud, via HTTPS POST requests. The attack didn’t stop at simple data theft. Leveraging Kubernetes service account tokens, the malware attempted lateral movement by deploying privileged pods across all nodes in a cluster. These pods mounted the host filesystem and installed a persistent backdoor as a systemd user service named “System Telemetry Service” (or sysmon.service). This backdoor contacted a second command-and-control server at checkmarx.zone/raw every 50 minutes to fetch and execute additional payloads, allowing attackers to maintain long-term access and adapt their tactics as needed. Notably, the backdoor included a kill switch: if the fetched URL contained “youtube.com,” the script would abort execution—a quirky but effective safeguard for the attackers.
Security vendors including Endor Labs and JFrog quickly linked the LiteLLM compromise to TeamPCP, based on clear overlaps in infrastructure and techniques. These included the persistence mechanism using ~/.config/sysmon/sysmon.py, the use of the checkmarx.zone domain, matching exfiltration filenames, and consistent Kubernetes-based propagation. The attack's sophistication and rapid escalation pointed to a deliberate campaign. As Endor Labs researcher Kiran Raj noted, “The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling 'checkmarx[.]zone/raw' for additional binaries.”
This breach did not occur in isolation. TeamPCP had already made waves earlier in March by compromising Aqua Security’s Trivy scanner—a widely used open source security tool. The Trivy attack began in late February 2026, when an automated bot exploited a misconfigured workflow to steal a privileged Personal Access Token (PAT) from a CI environment. Using this access, the attackers published a malicious Trivy binary release (v0.69.4) and force-pushed malicious commits to dozens of tags in the aquasecurity/trivy-action and aquasecurity/setup-trivy repositories. The injected payloads, two Python infostealers, exfiltrated sensitive elements from CI/CD runner memory and local files—SSH keys, cloud tokens, environment variables—to attacker-controlled domains or, as a backup, to public GitHub repositories.
According to GitGuardian Blog, the Trivy compromise was especially dangerous because it weaponized trusted automation. Many organizations pin their workflows to a repository tag, assuming it’s immutable and secure. But by force-pushing updated tags, the attackers turned these trusted references into silent malware delivery channels. The legitimate Trivy scan would still run, giving users no immediate reason to suspect foul play. As one security researcher observed, “Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.”
The LiteLLM attack likely originated from its use of Trivy in its CI/CD workflow, highlighting how one breach can cascade into another. TeamPCP’s campaign has now spanned five ecosystems—GitHub Actions, Docker Hub, npm, Open VSX, and PyPI—demonstrating a relentless drive to expand their reach. In a brazen message posted on their Telegram channel, TeamPCP taunted, “These companies were built to protect your supply chains yet they can't even protect their own, the state of modern security research is a joke, as a result we're gonna be around for a long time stealing terrabytes [sic] of trade secrets with our new partners.” They warned that the “snowball effect” would be massive, with more security tools and open-source projects likely to be targeted in the coming months.
Security experts are urging organizations to take immediate action. They recommend auditing all environments for LiteLLM versions 1.82.7 or 1.82.8 and reverting to a clean version if found. Affected hosts should be isolated, and Kubernetes clusters checked for rogue pods. Network logs should be reviewed for egress traffic to models.litellm.cloud and checkmarx.zone. Persistence mechanisms must be removed, and all exposed credentials revoked and rotated. Developers are also encouraged to pin dependencies to verified versions, compare distributed packages against upstream source code, and use secure publishing mechanisms like PyPI Trusted Publishers to reduce reliance on static API tokens.
Perhaps the most sobering lesson is the importance of thorough remediation. As the GitGuardian Blog emphasized, incomplete credential rotation after the initial Trivy breach allowed TeamPCP to maintain access and escalate their campaign. “The biggest takeaway here is not that secrets were stolen. That part is already obvious. The bigger lesson is that incomplete cleanup turns one breach into a campaign. Aqua’s own account of the incident points to compromised credentials retained from the earlier breach and a rotation process that did not fully sever access.”
The open source supply chain, once celebrated for its speed and innovation, now finds itself in a precarious position. As Gal Nagli, head of threat exposure at Wiz, put it, “The open source supply chain is collapsing in on itself.” The cycle of compromise and escalation shows no sign of slowing, and the industry must adapt quickly to avoid further chaos.
For now, the message is clear: trust, but verify—and never underestimate the ingenuity of those seeking to exploit the cracks in our digital foundations.