TeamPCP, the threat actor behind the recent Trivy and KICS breaches, compromised a popular Python package named litellm and pushed two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.
Multiple security vendors, including Endor Labs and JFrog, revealed that litellm versions 1.82.7 and 1.82.8 were released on March 24, 2026. This is likely due to the use of Trivy for packages in CI/CD workflows. Both backdoor versions have since been removed from PyPI.
“The payload is a three-stage attack: a credential harvester that sweeps through SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files, a Kubernetes lateral movement toolkit that deploys privileged pods to all nodes, and a “checkmarx” poll with a persistent systemd backdoor (sysmon.service).[.]Use ‘zone/raw’ for additional binaries,” said Endor Labs researcher Kiran Raj.
As observed in previous cases, the collected data is exfiltrated as an encrypted archive (‘tpcp.tar.gz’) to a command and control domain named ‘models.litellm’.[.]cloud” via an HTTPS POST request.
For 1.82.7, the malicious code is embedded in the “litellm/proxy/proxy_server.py” file and the injection is performed during or after the wheel build process. This code is designed to run on module import so that the process that imports “litellm.proxy.proxy_server” triggers the payload without requiring user intervention.
The next iteration of the package will add “more attack vectors” by incorporating the malicious “litellm_init.pth” into the wheel root, allowing the logic to be automatically executed every time a Python process is started in the environment, not just when litellm is imported.
Another aspect that makes 1.82.8 even more dangerous is the fact that the .pth launcher spawns child Python processes via subprocess.Popen, allowing payloads to run in the background.
“Python .pth files placed in site packages are automatically processed by site.py when the interpreter starts,” Endor Labs said. “This file contains one line that imports the subprocess and launches a separate Python process to decode and execute the same Base64 payload.”
The payload is decoded to an orchestrator that unpacks the credential harvester and persistence dropper. The harvester also utilizes the Kubernetes service account token (if present) to enumerate all nodes in the cluster and deploy privileged pods to each node. The pod then chroots into the host file system and installs the persistence dropper as a systemd user service on all nodes.
The systemd service is configured to launch a Python script (‘~/.config/sysmon/sysmon.py’) (same name used in the Trivy compromise) that accesses ‘checkmarx’.[.]Run “zone/raw” every 50 minutes to get a URL pointing to the next stage payload. If the URL contains YouTube[.]com, the script stops running. This is a common kill switch pattern in all incidents observed to date.
“This campaign is almost certainly not over,” Endor Institute said. “TeamPCP exhibits a consistent pattern: each compromised environment generates credentials that unlock the next target. The pivot from CI/CD (GitHub Actions runner) to production (PyPI packages running on a Kubernetes cluster) is a deliberate escalation.”
With the latest development, TeamPCP has launched a relentless supply chain attack campaign, spawning five ecosystems including GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, expanding its reach and bringing more systems under its control.
“TeamPCP has escalated a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly claiming credit for multiple follow-on attacks across the ecosystem,” Socket said. “This is an ongoing operation targeting high-impact points in the software supply chain.”
“These companies were founded to protect their supply chains, and they can’t even protect their own supply chains. The current state of modern security research is a joke. As a result, we will be stealing terabytes for a long time,” TeamPCP said in a message posted on its Telegram channel. [sic] Trade secret secrets with our new partners. ”
“The snowballing impact of this will be significant. We are already partnering with other teams to perpetuate the disruption. Many of your favorite security tools and open source projects will be targeted in the coming months. Stay tuned,” the attacker added.
Users are advised to take the following actions to contain the threat:
Audit litellm version 1.82.7 or 1.82.8 in all environments and revert to a clean version if found. Isolate the affected host. Check for the presence of rogue pods in your Kubernetes cluster. Check the network logs for output traffic to ‘models.litellm’.[.]Cloud” and “Checkmarks”[.]Remove “zone” persistence mechanisms. Audit CI/CD pipelines for use of tools like Trivy and KICS during the period of compromise. Revoke and rotate all exposed credentials.
“The open source supply chain is breaking down,” Gal Nagri, head of threat prevention at Google’s Wiz, wrote in a post on X. “Trivy gets compromised → LiteLLM gets compromised → credentials for tens of thousands of environments end up in the hands of attackers → and those credentials lead to the next breach. We’re stuck in a loop.”
Source link
