{"id":11595,"date":"2026-03-25T10:03:41","date_gmt":"2026-03-25T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/25\/litellm-python-package-with-95-million-downloads-compromised-by-teampcp-hackers\/"},"modified":"2026-03-25T10:03:41","modified_gmt":"2026-03-25T10:03:41","slug":"litellm-python-package-with-95-million-downloads-compromised-by-teampcp-hackers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/25\/litellm-python-package-with-95-million-downloads-compromised-by-teampcp-hackers\/","title":{"rendered":"LiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers"},"content":{"rendered":"

LiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A widely used open-source Python library was compromised on the Python Package Index (PyPI). Versions 1.82.7 and 1.82.8 of the package, which route requests across various LLM providers and have over 95 million monthly downloads, were found to contain a sophisticated backdoor by security vendors Endor Labs\u00a0and\u00a0JFrog.<\/p>\n

The malicious code was injected directly into the PyPI distribution, bypassing the clean upstream GitHub repository. This supply chain attack<\/a> is attributed to TeamPCP, a threat actor known for targeting highly privileged developer and security tools.<\/p>\n

The infection chain relies on malicious code execution disguised within legitimate library functions. In version 1.82.7, attackers injected a 12-line base64-encoded payload into the litellm\/proxy\/proxy_server.py<\/code> file. This code triggers silently upon module import.<\/p>\n

Version 1.82.8 escalates the threat by introducing a litellm_init.pth<\/code> file into the root of the wheel. Because Python automatically processes .pth<\/code> files placed in site-packages<\/code> at startup, this secondary vector ensures the payload executes as a background process during any Python invocation in the compromised environment. This means the payload triggers even if litellm<\/code> is never explicitly imported by the developer\u2019s code.<\/p>\n

Affected Package Versions<\/strong><\/h2>\n
\n\n\n\n\n\n\n
Package Name<\/th>\nVersion<\/th>\nPublication Date<\/th>\nInjection Vector<\/th>\nStatus<\/th>\n<\/tr>\n<\/thead>\n
litellm<\/td>\n1.82.7<\/td>\n2026-03-24<\/td>\n\nproxy_server.py<\/code> (import-time)<\/td>\nRemoved<\/td>\n<\/tr>\n
litellm<\/td>\n1.82.8<\/td>\n2026-03-24<\/td>\n\nproxy_server.py<\/code> + litellm_init.pth<\/code> (interpreter startup)<\/td>\nRemoved<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Note: The last known-clean version is litellm<\/code> 1.82.6.<\/em><\/p>\n

Upon execution, the payload initiates an aggressive three-stage attack sequence. The initial orchestrator script unpacks a comprehensive credential harvester designed to systematically sweep the host system.<\/p>\n

It targets SSH keys, cloud provider tokens for AWS, GCP, and Azure, database credentials, and cryptocurrency wallets. Extracted secrets are encrypted using a hybrid AES-256-CBC and RSA-4096 scheme and bundled into an archive named tpcp.tar.gz<\/code> before being exfiltrated to an attacker-controlled domain masquerading as a legitimate project resource.<\/p>\n

Beyond credential theft, the malware attempts lateral movement within Kubernetes environments. If the harvester detects a Kubernetes service account token, it rapidly enumerates all cluster nodes and deploys privileged alpine containers to each node using host-level access.<\/p>\n

Finally, the malware establishes persistent access by dropping a systemd user service disguised as a system telemetry process. This backdoor continuously polls a secondary command-and-control server to fetch and execute additional binaries.<\/p>\n

This breach represents the latest escalation in a sprawling supply chain campaign orchestrated by TeamPCP. Over the past month, the group has successfully compromised five separate ecosystems, including GitHub Actions, Docker Hub, npm, and OpenVSX.<\/p>\n

By deliberately targeting infrastructure and security-focused tools such as Aqua Security\u2019s Trivy<\/a> and Checkmarx\u2019s KICS, the attackers ensure their payloads execute in highly privileged environments rich with production secrets.<\/p>\n

Key Indicators of Compromise (IoCs)<\/strong><\/h2>\n
\n\n\n\n\n\n\n\n\n\n
Indicator<\/th>\nType<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
models.litellm.cloud<\/code><\/td>\nC2 Domain<\/td>\nExfiltration endpoint for encrypted credential archives<\/td>\n<\/tr>\n
checkmarx.zone\/raw<\/code><\/td>\nC2 Endpoint<\/td>\nPayload delivery domain for the persistent backdoor<\/td>\n<\/tr>\n
~\/.config\/systemd\/user\/sysmon.service<\/code><\/td>\nFilesystem<\/td>\nPersistent systemd unit hiding the backdoor<\/td>\n<\/tr>\n
tpcp.tar.gz<\/code><\/td>\nArchive<\/td>\nNamed archive containing exfiltrated host data<\/td>\n<\/tr>\n
node-setup-*<\/code><\/td>\nKubernetes<\/td>\nPrivileged attacker pods deployed in the kube-system<\/code> namespace<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Organizations utilizing litellm<\/code> should immediately audit their environments. If the compromised versions are detected, security teams must treat the environment as fully breached and initiate a comprehensive credential rotation protocol.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post LiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

LiteLLM Python Package With 95 Million Downloads Compromised by TeamPCP Hackers A widely used open-source Python library was compromised on the Python Package Index (PyPI). Versions 1.82.7 and 1.82.8 of the package, which route requests across various LLM providers and have over 95 million monthly downloads, were found to contain a sophisticated backdoor by security […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,1112,937],"tags":[130],"class_list":["post-11595","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-hacking-news","category-python","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11595"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11595"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11595\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}