TeamPCP Backdoors LiteLLM 1.82.7–1.82.8 via CI/CD Compromise

A sophisticated Supply Chain Attack has targeted the popular Python package LiteLLM, resulting in the injection of malicious backdoors and data exfiltration tools. According to The Hacker News, the threat actor identified as TeamPCP likely gained access through a compromise of the CI/CD pipeline associated with the Trivy vulnerability scanner, which shared certain automation secrets. This incident follows previous attacks by the same group on infrastructure-as-code and security tools like KICS and Trivy.

LiteLLM is a widely adopted library used to interface with multiple large language model (LLM) providers through a unified API. By compromising this package, attackers gained a foothold in development environments and production AI orchestration layers, which typically handle highly sensitive API keys and cloud credentials.

TeamPCP Supply Chain Attack Mitigation

The primary mitigation strategy for organizations using this library is the immediate removal of the tainted versions. Security teams must verify that all instances of the package are updated beyond the compromised range. Beyond simple version updates, organizations must treat this as a potential breach of their underlying infrastructure. Because the malicious code was designed to harvest environment variables, any secret exposed to a container running the backdoored library must be considered compromised.

Defenders should implement a rotation policy for all OpenAI, Anthropic, AWS, and Azure keys that were present in environments where LiteLLM 1.82.7 or 1.82.8 was executed. Furthermore, teams should adopt Zero Trust principles by limiting the scope of API keys and using short-lived credentials where possible to reduce the impact of IoC exposure from similar future attacks.

LiteLLM Version 1.82.8 Credential Harvester Analysis

Technical analysis of the malicious code injected into version 1.82.8 reveals a focused intent on credential theft. The script contains logic to scan the local environment for common sensitive variables, specifically targeting those associated with cloud providers and LLM services. Once gathered, these credentials are exfiltrated to a C2 server controlled by TeamPCP.

The harvester does not just look for variables in memory; it also attempts to locate and read .env files within the working directory. This TTP allows the attacker to obtain persistent access to external services, even if the compromised container is ephemeral. The stolen data provides the actor with the necessary access to perform Privilege Escalation within the victim’s cloud tenant.

How to Detect LiteLLM 1.82.7 Malicious Activity

Detecting signs of compromise involves monitoring for unusual outbound network connections and unauthorized API calls using the credentials managed by the library. Organizations should review their SIEM logs for connections to unknown external IP addresses, particularly those originating from AI-related microservices.

The malicious versions also include a Kubernetes lateral movement toolkit. This component attempts to exploit the service account tokens associated with the pod in which LiteLLM is running. By querying the Kubernetes API, the malware seeks to achieve Lateral Movement to other nodes or namespaces. SOC analysts should look for service accounts performing high volumes of ‘list’ or ‘get’ operations on secrets or pods, which may indicate the toolkit is active. Deploying an EDR solution capable of monitoring child process execution from Python interpreters can also help identify the persistence mechanisms used by TeamPCP.