The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively common “LiteLLM” Python bundle on PyPI and claiming to have stolen information from lots of of 1000’s of gadgets through the assault.
LiteLLM is an open-source Python library that serves as a gateway to a number of giant language mannequin (LLM) suppliers by way of a single API. The bundle may be very common, with over 3.4 million downloads a day and over 95 million up to now month.
Based on analysis by Endor Labs, menace actors compromised the undertaking and printed malicious variations of LiteLLM 1.82.7 and 1.82.8 to PyPI at present that deploy an infostealer that harvests a variety of delicate information.
The assault has been claimed by TeamPCP, a hacking group that was behind the latest high-profile breach of Aqua Safety’s Trivy vulnerability scanner. That breach is believed to have led to cascading compromises that impacted Aqua Safety Docker photos, Checkmarx KICS undertaking, and now LiteLLM.
The group has additionally been discovered focusing on Kubernetes clusters with a malicious script that wipes all machines when it detects methods configured for Iran. In any other case, it installs a brand new CanisterWorm backdoor on gadgets in different areas.
Sources have informed BleepingComputer the variety of information exfils is roughly 500,000, with many being duplicates. VX-Underground stories an identical variety of ‘contaminated gadgets.”
Nonetheless, BleepingComputer has not been capable of affirm these numbers independently.
LiteLLM provide chain assault
Endor Labs stories that menace actors pushed out two malicious variations of LiteLLM at present, every containing a hidden payload that executes when the bundle is imported.
The malicious code was injected into ‘litellm/proxy/proxy_server.py’ [VirusTotal] as a base64 encoded payload, which is decoded and executed every time the module is imported.
Model 1.82.8 introduces a extra aggressive characteristic that installs a ‘.pth’ file named ‘litellm_init.pth’ [VirusTotal] to the Python atmosphere. As a result of Python mechanically processes all ‘.pth’ recordsdata when the interpreter begins, the malicious code could be executed every time Python is run, even when LiteLLM just isn’t particularly used.
As soon as executed, the payload in the end deploys a variant of the hacker’s “TeamPCP Cloud Stealer” and a persistence script. Evaluation by BleepingComputer exhibits the payload accommodates just about the identical credential-stealing logic used within the Trivy provide chain assault.
“Once triggered, the payload runs a three-stage attack: it harvests credentials (SSH keys, cloud tokens, Kubernetes secrets, crypto wallets, and .env files), attempts lateral movement across Kubernetes clusters by deploying privileged pods to every node, and installs a persistent systemd backdoor that polls for additional binaries,” explains Endor Labs.
“Exfiltrated data is encrypted and sent to an attacker-controlled domain.”
Supply: BleepingComputer
The stealer harvests a variety of credentials and authentication secrets and techniques, together with:
- System reconnaissance by working the hostname, pwd, whoami, uname -a, ip addr, and printenv instructions.
- SSH keys and configuration recordsdata
- Cloud credentials for AWS, GCP, and Azure
- Kubernetes service account tokens and cluster secrets and techniques
- Surroundings recordsdata reminiscent of `.env` variants
- Database credentials and configuration recordsdata
- TLS non-public keys and CI/CD secrets and techniques
- Cryptocurrency pockets information
The cloud stealer payload additionally consists of an extra base64 encoded script that’s put in as a systemd consumer service disguised as a “System Telemetry Service,” which periodically contacts a distant server at checkmarx[.]zone to obtain and execute extra payloads.
Supply: BleepingComputer
Stolen information is bundled into an encrypted archive named tpcp.tar.gz and despatched to attacker-controlled infrastructure at fashions.litellm[.]cloud, the place the menace actors can entry it.
Supply: BleepingComputer
Rotate uncovered credentials!
Each malicious LiteLLM variations have been faraway from PyPI, with model 1.82.6 now the most recent clear launch.
Organizations that use LiteLLM are strongly suggested to instantly:
- Verify for installations of variations 1.82.7 or 1.82.8
- Instantly rotate all secrets and techniques, tokens, and credentials used on or discovered inside code on impacted gadgets.
- Seek for persistence artifacts reminiscent of ‘~/.config/sysmon/sysmon.py’ and associated systemd providers
- Examine methods for suspicious recordsdata like ‘/tmp/pglog’ and ‘/tmp/.pg_state’
- Overview Kubernetes clusters for unauthorized pods within the ‘kube-system’ namespace
- Monitor outbound site visitors to identified attacker domains
If compromise is suspected, all credentials on affected methods must be handled as uncovered and rotated instantly.
BleepingComputer has repeatedly lined breaches that stemmed from corporations not rotating credentials, secrets and techniques, and authentication tokens present in earlier breaches.
Each researchers and menace actors have informed BleepingComputer that whereas rotating secrets and techniques is tough, it is without doubt one of the greatest methods to stop cascading provide chain assaults.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
