TeamPCP, the menace actor behind the latest compromises of Trivy and KICS, has now compromised a well-liked Python package deal named litellm, pushing two malicious variations containing a credential harvester, a Kubernetes lateral motion toolkit, and a persistent backdoor.
A number of safety distributors, together with Endor Labs and JFrog, revealed that litellm variations 1.82.7 and 1.82.8 had been revealed on March 24, 2026, seemingly stemming from the package deal’s use of Trivy of their CI/CD workflow. Each the backdoored variations have since been faraway from PyPI.
“The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling ‘checkmarx[.]zone/raw’ for additional binaries,” Endor Labs researcher Kiran Raj mentioned.
As noticed in earlier circumstances, the harvested information is exfiltrated as an encrypted archive (“tpcp.tar.gz”) to a command-and-control area named “models.litellm[.]cloud” through an HTTPS POST request.
Within the case of 1.82.7, the malicious code is embedded within the “litellm/proxy/proxy_server.py” file, with the injection carried out throughout or after the wheel construct course of. The code is engineered to be executed at module import time, such that any course of that imports “litellm.proxy.proxy_server” triggers the payload with out requiring any consumer interplay.
The following iteration of the package deal provides a “more aggressive vector” by incorporating a malicious “litellm_init.pth” on the wheel root, inflicting the logic to be executed mechanically on each Python course of startup within the atmosphere, not simply when litellm is imported.
One other facet that makes 1.82.8 extra harmful is the truth that the .pth launcher spawns a toddler Python course of through subprocess.Popen, which permits the payload to be run within the background.
“Python .pth files placed in site-packages are processed automatically by site.py at interpreter startup,” Endor Labs mentioned. “The file contains a single line that imports a subprocess and launches a detached Python process to decode and execute the same Base64 payload.”
The payload decodes to an orchestrator that unpacks a credential harvester and a persistence dropper. The harvester additionally leverages the Kubernetes service account token (if current) to enumerate all nodes within the cluster and deploy a privileged pod to every considered one of them. The pod then chroots into the host file system and installs the persistence dropper as a systemd consumer service on each node.
The systemd service is configured to launch a Python script (“~/.config/sysmon/sysmon.py”) – the identical identify used within the Trivy compromise – that reaches out to “checkmarx[.]zone/raw” each 50 minutes to fetch a URL pointing to the next-stage payload. If the URL comprises youtube[.]com, the script aborts execution – a kill change sample widespread to all of the incidents noticed thus far.
“This campaign is almost certainly not over,” Endor Labs mentioned. “TeamPCP has demonstrated a consistent pattern: each compromised environment yields credentials that unlock the next target. The pivot from CI/CD (GitHub Actions runners) to production (PyPI packages running in Kubernetes clusters) is a deliberate escalation.”
With the newest growth, TeamPCP has waged a relentless provide chain assault marketing campaign that has spawned 5 ecosystems, together with GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, to increase its concentrating on footprint and convey increasingly more techniques into its management.
“TeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems,” Socket mentioned. “This is a sustained operation targeting high-leverage points in the software supply chain.”
In a message posted on their Telegram channel, TeamPCP mentioned: “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke, as a result we’re gonna be around for a long time stealing terrabytes [sic] of trade secrets with our new partners.”
“The snowball effect from this will be massive, we are already partnering with other teams to perpetuate the chaos, many of your favourite security tools and open-source projects will be targeted in the months to come so stay tuned,” the menace actor added.
Customers are suggested to carry out the next actions to comprise the menace –
- Audit all environments for litellm variations 1.82.7 or 1.82.8, and if discovered, revert to a clear model
- Isolate affected hosts
- Verify for the presence of rogue pods in Kubernetes clusters
- Evaluate community logs for egress visitors to “models.litellm[.]cloud” and “checkmarx[.]zone”
- Take away the persistence mechanisms
- Audit CI/CD pipelines for utilization of instruments like Trivy and KICS in the course of the compromise home windows
- Revoke and rotate all uncovered credentials
“The open source supply chain is collapsing in on itself,” Gal Nagli, head of menace publicity at Google-owned Wiz, mentioned in a submit on X. “Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.”
