TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 About Trivy CI/CD Compromise

TeamPCP, the threat actor behind the recent Trivy and KICS compromises, has now compromised a popular Python package called litelm, pushing two malicious versions containing an authentication harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.

Several security vendors, including Endor Labs and JFrog, have revealed that versions of litelm 1.82.7 and 1.82.8 were published on March 24, 2026, possibly stemming from the use of the Trivy package in their CI/CD workflows. Both backend versions have been removed from PyPI.

“The payload is a three-pronged attack: an authentication harvester that sweeps SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit that sends special pods to all nodes; and a persistent backdoor (the sysmon ‘service.[.]environment/raw’ in other binaries,” said Endor Labs researcher Kiran Raj.

As noted in previous cases, the harvested data is extracted as an encrypted archive (“tpcp.tar.gz”) to a command and control domain called “models.litelm[.]cloud” via an HTTPS POST request.

In version 1.82.7, the malicious code is embedded in the “litellm/proxy/proxy_server.py” file, with an injection performed during or after the wheel build process. The code is designed to be executed during module import, so that any process that imports “litellm.proxy.proxy_server” will trigger loading without requiring user interaction.

The next iteration of the package adds an “aggressive vector” by adding the “litellm_init.pth” malicious to the root of the wheel, which causes the logic to run automatically on every Python process in the environment, not just when litellm is imported.

Another feature that makes 1.82.8 more dangerous is that the .pth launcher exposes a child Python process via subprocess.Popen, which allows payloads to be executed in the background.

“Python .pth files placed in site packages are automatically processed by site.py at interpreter startup,” says Endor Labs. “The file contains a single line that imports a subprocess and starts a separate Python process to decode and use the same Base64 payload.”

The payload records an orchestrator that releases an authentication harvester and persistent dropper. The harvester also uses the Kubernetes service account token (if available) to enumerate all the nodes in the cluster and extract a privileged pod from each of them. The pod then detaches from the host’s file system and installs a persistent dropper as a system user service on all nodes.

The systemd service is configured to launch a Python script (“~/.config/sysmon/sysmon.py”) – the same name used in the Trivy compromise – which accesses “checkmarx[.]zone/raw” every 50 minutes to download the URL that points to the payment of the next section. If the URL contains youtube[.]com, the script aborts the execution – a common execution pattern in all cases seen so far.

“This campaign is probably not over yet,” Endor Labs said. “TeamPCP showed a consistent pattern: each compromised environment reveals credentials that open the next target. The pivot from CI/CD (GitHub Actions runners) to production (PyPI packages running on Kubernetes clusters) is a deliberate escalation.”

With the latest development, TeamPCP has carried out a relentless attack campaign that exposed five environments, including GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, to expand its target area and bring more and more programs under its control.

“TeamPCP is expanding a coordinated campaign targeting the security tools and infrastructure of open source developers, and is now openly admitting serial attacks across ecosystems,” said Socket. “This is a work in progress that targets high points in the software supply chain.”

In a message posted on their Telegram channel, TeamPCP said: “These companies are built to protect your chains but they can’t even protect theirs, the state of modern security research is a joke, so we will be stealing terabytes for a long time. [sic] of trade secrets with our new partners.”

“The snowball effect from this will be huge, we are already partnering with other groups to further the chaos, many of your favorite security tools and open source projects will be targeted in the coming months so stay tuned,” added the threat actor.

Users are advised to take the following actions to contain the threat –

• Check all locations for versions of litelm 1.82.7 or 1.82.8, and if available, revert to clean version
• Disconnect the affected hosts
• Check the existence of stable pods in Kubernetes clusters
• Review network logs for traffic for “models.litelm[.]cloud” and “checkmarx[.]place”
• Remove persistent methods
• Test CI/CD pipelines for use with tools like Trivy and KICS during contract windows
• Withdraw and circle all displayed credentials

“The open source supply chain is entering itself,” Gal Nagli, head of threat detection at Google-owned Wiz, in a post on X. “Trivy becomes vulnerable → LiteLLM becomes vulnerable → data from tens of thousands of sites ends up in the hands of an attacker → and that data leads to further damage.”