LiteLLM PyPI Supply Chain Attack: TeamPCP Steals Credentials

Overview of the LiteLLM PyPI Package Compromise

Runtime Rebel intelligence confirms a critical Supply Chain Attack targeting the popular LiteLLM Python package hosted on PyPI. The TeamPCP hacking group is responsible for compromising the package, injecting malicious code designed to exfiltrate sensitive data, including user credentials and authentication tokens. This incident marks a continuation of TeamPCP’s aggressive campaign targeting development ecosystems.

According to BleepingComputer, TeamPCP claims to have successfully stolen data from hundreds of thousands of devices as a result of this compromise. Given the widespread use of LiteLLM—a library that simplifies integration with various large language models (LLMs) like OpenAI, Azure, Cohere, and Anthropic—the potential impact of this breach is substantial. Organizations and individual developers using LiteLLM are advised to take immediate action to mitigate potential risks.

Technical Details of the LiteLLM PyPI Package Compromise

LiteLLM is an open-source library used by developers to unify API calls across different LLM providers, making it a critical component in many AI-driven applications. Its popularity makes it an attractive target for threat actors seeking to achieve broad impact through a single compromise point.

The TeamPCP group implemented a backdoor within specific versions of the LiteLLM package available on PyPI. This malicious modification allowed the attackers to harvest environment variables, API keys, and other authentication-related tokens from systems where the compromised package was installed and executed. Such data enables attackers to gain unauthorized access to LLM provider accounts, cloud resources, and potentially other integrated services.

This method of injecting malicious code into legitimate, widely used open-source libraries is a common [TTP](/glossary#ttp) for Supply Chain Attacks and highlights the inherent risks in modern software development workflows that rely heavily on third-party components. The exfiltrated data would likely be sent to an attacker-controlled C2 server for collection and further exploitation.

TeamPCP’s Modus Operandi and Broader Implications

TeamPCP is an emerging threat actor group that has demonstrated a clear focus on compromising software supply chains. Their previous activities have shown a pattern of targeting popular development packages to cast a wide net for data theft. This particular attack demonstrates a sophisticated understanding of how developers integrate third-party libraries and the types of sensitive information present in typical development or production environments.

The implications of stolen credentials extend beyond mere API access. With valid authentication tokens, attackers could potentially:

• Access and manipulate sensitive data: Depending on the scope of the API key, attackers could read, modify, or delete data stored within LLM provider accounts or associated cloud services.
• Execute unauthorized code: In some cases, compromised API keys might grant access to services that allow for code execution, leading to further system compromise or Lateral Movement within an organization’s network.
• Incur financial costs: Unauthorized use of LLM services could lead to significant and unexpected billing charges.
• Intellectual property theft: Access to LLM usage patterns or prompts could expose proprietary models, sensitive internal data, or trade secrets.

Actionable Recommendations and Mitigations for TeamPCP Supply Chain Attack

Defenders must prioritize immediate actions to mitigate the risks associated with the LiteLLM compromise and implement long-term strategies for Python package integrity verification.

• Immediate Update and Verification:

  • Update LiteLLM: All users of LiteLLM must immediately update to the latest, verified secure version. Check the official LiteLLM GitHub repository or PyPI page for announcements regarding patched versions.
  • Audit Dependencies: Review pip freeze or poetry show outputs to identify if LiteLLM is present in your environments. Verify its version against known secure releases.

• Credential Rotation and Revocation:

  • Revoke and Regenerate API Keys: Assume all API keys and authentication tokens used in environments where LiteLLM was installed or executed are compromised. Immediately revoke these credentials with their respective providers (e.g., OpenAI, Azure, Cohere, Anthropic) and generate new ones.
  • Rotate Environment Variables: Review and rotate any sensitive environment variables that might have been exposed.

• System Auditing and Monitoring:

  • Log Analysis: Scrutinize network and application logs for unusual outbound connections from systems running LiteLLM or suspicious API calls to LLM providers. Look for new, unrecognized IoC related to TeamPCP’s activity.
  • Endpoint Detection: Utilize EDR solutions to monitor for anomalous process behavior, unauthorized file access, or network connections originating from developer workstations or production servers running LiteLLM.
  • SIEM Integration: Ensure your SIEM is configured to alert on suspicious activity related to API key usage or unusual data egress.

• Enhance Supply Chain Security:

  • Software Bill of Materials (SBOM): Implement SBOM generation to maintain an accurate inventory of all open-source and third-party components used in your applications.
  • Source Code Review: Conduct regular security reviews of integrated third-party libraries, especially those with high privileges or network access.
  • Dependency Scanning: Employ automated tools for scanning dependencies for known vulnerabilities and malicious code before deployment.
  • Isolated Environments: Develop and run applications in isolated, sandboxed environments to limit the blast radius of any package compromise.
  • Zero Trust Principles: Apply Zero Trust principles to your software development lifecycle, verifying every access request and component regardless of its origin.