CRITICAL: TeamPCP Supply Chain Attack Backdoors LiteLLM, Threatens 36% of Cloud Environments

Executive Summary

TeamPCP has compromised LiteLLM, a Python package used for LLM API integration that's present in 36% of cloud environments. Malicious versions 1.82.7 and 1.82.8 were pushed to PyPI on March 24, 2026, containing a three-stage payload: credential harvester, Kubernetes lateral movement toolkit, and persistent systemd backdoor.

Technical Analysis

The attack leverages TeamPCP's earlier compromise of Trivy, which LiteLLM uses in its CI/CD pipeline. In version 1.82.7, malicious code was embedded in litellm/proxy/proxy_server.py, executing at module import time. Version 1.82.8 added a litellm_init.pth file that executes on every Python process startup.

The payload harvests SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files. It deploys privileged pods across Kubernetes clusters and installs a sysmon.service backdoor that beacons every 50 minutes.

TeamPCP has now compromised five ecosystems: GitHub Actions, Docker Hub, npm, Open VSX, and PyPI. They've announced a partnership with LAPSUS$ extortion gang.

Indicators of Compromise

Monitor for egress traffic to models.litellm[.]cloud and checkmarx[.]zone. Hunt for sysmon.service persistence mechanism. Check for rogue privileged pods in Kubernetes clusters.

Remediation Steps

Audit environments for LiteLLM 1.82.7 or 1.82.8. Revert to clean versions and isolate affected hosts. Rotate ALL credentials that were accessible to the LiteLLM environment. Review CI/CD pipelines using Trivy or KICS. Remove sysmon.service backdoors from affected systems.