TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has now compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.
Multiple security vendors, including Endor Labs and JFrog, revealed that litellm versions 1.82.7 and 1.82.8 were published on March 24, 2026, likely stemming from the package’s use of Trivy in their CI/CD workflow. Both the backdoored versions have since been removed from PyPI.
“The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling ‘checkmarx[.]zone/raw’ for additional binaries,” Endor Labs researcher Kiran Raj said.
As observed in previous cases, the harvested data is exfiltrated as an encrypted archive (“tpcp.tar.gz”) to a command-and-control domain named “models.litellm[.]cloud” via an HTTPS POST request.
In the case of 1.82.7, the malicious code is embedded in the “litellm/proxy/proxy_server.py” file, with the injection performed during or after the wheel build process. The code is engineered to be executed at module import time, such that any process that imports “litellm.proxy.proxy_server” triggers the payload without requiring any user interaction.
The next iteration of the package adds a “more aggressive vector” by incorporating a malicious “litellm_init.pth” at the wheel root, causing the logic to be executed automatically on every Python process startup in the environment, not just when litellm is imported.
Another aspect that makes 1.82.8 more dangerous is the fact that the .pth launcher spawns a child Python process via subprocess.Popen, which allows the payload to be run in the background.
“Python .pth files placed in site-packages are processed automatically by site.py at interpreter startup,” Endor Labs said. “The file contains a single line that imports a subprocess and launches a detached Python process to decode and execute the same Base64 payload.”
The payload decodes to an orchestrator that unpacks a credential harvester and a persistence dropper. The harvester also leverages the Kubernetes service account token (if present) to enumerate all nodes in the cluster and deploy a privileged pod to each one of them. The pod then chroots into the host file system and installs the persistence dropper as a systemd user service on every node.
The systemd service is configured to launch a Python script (“~/.config/sysmon/sysmon.py”) – the same name used in the Trivy compromise – that reaches out to “checkmarx[.]zone/raw” every 50 minutes to fetch a URL pointing to the next-stage payload. If the URL contains youtube[.]com, the script aborts execution – a kill switch pattern common to all the incidents observed so far.
“This campaign is almost certainly not over,” Endor Labs said. “TeamPCP has demonstrated a consistent pattern: each compromised environment yields credentials that unlock the next target. The pivot from CI/CD (GitHub Actions runners) to production (PyPI packages running in Kubernetes clusters) is a deliberate escalation.”
With the latest development, TeamPCP has waged a relentless supply chain attack campaign that has spawned five ecosystems, including GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, to expand its targeting footprint and bring more and more systems into its control.
“TeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems,” Socket said. “This is a sustained operation targeting high-leverage points in the software supply chain.”
In a message posted on their Telegram channel, TeamPCP said: “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke, as a result we’re gonna be around for a long time stealing terrabytes [sic] of trade secrets with our new partners.”
“The snowball effect from this will be massive, we are already partnering with other teams to perpetuate the chaos, many of your favourite security tools and open-source projects will be targeted in the months to come so stay tuned,” the threat actor added.
Users are advised to perform the following actions to contain the threat –
- Audit all environments for litellm versions 1.82.7 or 1.82.8, and if found, revert to a clean version
- Isolate affected hosts
- Check for the presence of rogue pods in Kubernetes clusters
- Review network logs for egress traffic to “models.litellm[.]cloud” and “checkmarx[.]zone”
- Remove the persistence mechanisms
- Audit CI/CD pipelines for usage of tools like Trivy and KICS during the compromise windows
- Revoke and rotate all exposed credentials
“The open source supply chain is collapsing in on itself,” Gal Nagli, head of threat exposure at Google-owned Wiz, said in a post on X. “Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.”
