The hacker group known as TeamPCP compromised the LiteLLM package in the PyPI repository and published malicious versions in recent days. The Python library, which acts as a unifier of access to several large language model providers through a single API, has recorded more than 95 million downloads in the last month and exceeds 3.4 million daily downloads. Versions 1.82.7 and 1.82.8 contained malicious code capable of harvesting sensitive credentials and installing persistence mechanisms in affected environments. Especialistas identified the incident on March 24, 2026, and the compromised versions were quickly removed from PyPI.
LiteLLM serves as a common gateway for integrating artificial intelligence services into development projects. Qualquer import of the affected module triggered the hidden payload. Endor Labs detailed that the malicious code was injected into specific files within the package, including proxy_server.py and a .pth file that automatically runs when starting the Python interpreter.
- Immediate verification of installations of versions 1.82.7 or 1.82.8 in on-premises environments and CI/CD pipelines.
- Urgent rotation of all exposed SSH keys, cloud tokens, and secrets.
- Inspection of artifacts such as suspicious .pth files and disguised systemd services.
Malicious code injection mechanism
Malicious actors inserted the base64-encoded payload into the litellm/proxy/proxy_server.py file in the compromised versions. Essa payload is decoded and executed every time the module is imported. Version 1.82.8 also added a litellm_init.pth file that guarantees automatic execution whenever the Python environment is started, expanding the scope of the attack even without direct use of the library.
The payload follows a well-defined three-step sequence. Primeiro, performs system recognition with commands such as hostname, whoami, uname and ip addr. It then collects miscellaneous credentials, including SSH keys, cloud configurations for AWS, GCP, and Azure, Kubernetes service tokens, .env files, database credentials, private TLS keys, and cryptocurrency wallet data. Finally, it attempts lateral movement on Kubernetes clusters by deploying privileged pods on each node.
Credential and secret theft details
The TeamPCP Cloud Stealer variant infostealer groups collected data into an encrypted tpcp.tar.gz file. Esse file is sent to attacker-controlled infrastructure in the domain models.litellm.cloud. A systemd service disguised as “Telemetria Sistema Service” maintains periodic contact with checkmarx.zone to download additional payloads and ensure persistence.
Developers using LiteLLM in AI pipelines or applications accessing multiple LLM providers face elevated risk of exposure. The attack inherits technical similarities with the previous compromise of Trivy’s Aqua Security scanner, also attributed to the same group. Relatos indicate that hundreds of thousands of data extractions have occurred, although exact numbers remain under independent verification.
Previous attacks by the TeamPCP group
TeamPCP had already committed the Trivy project and related components of Aqua Security in the near future. Essa sequence of incidents demonstrates a focus on tools widely adopted in the software development chain, especially those integrated with CI/CD flows and cloud-native environments. The group also explored Kubernetes clusters with scripts that differentiate behaviors by geographic region.
The installed persistence includes systemd backdoor that automatically fetches additional binaries. Analistas have observed attempts to completely wipe systems in specific detected configurations, while in other cases the focus remains on the silent collection of secrets.
Recommended measures for affected organizations
Organizations should check installation logs and immediately upgrade to version 1.82.6 or higher, which is considered clean. Rotating all secrets and tokens found on potentially affected devices is a priority action to limit damage. Busca for suspicious files like ~/.config/sysmon/sysmon.py, /tmp/pglog, and rogue pods in the kube-system namespace helps identify residual compromises.
Monitoring outbound traffic to domains associated with attackers complements initial actions. Especialistas reinforce that regular credential rotation significantly reduces the risk of cascading attacks in the software supply chain. Equipes security personnel need to inspect Kubernetes environments for unauthorized lateral movement.
Persistent payload technical analysis
The backdoor installed as systemd user service maintains communication with remote server to receive further instructions. Essa architecture allows attackers to expand control over infected systems over time. The exfiltration mechanism encrypts data before sending, making it difficult to detect in transit.
Developers who maintain Python dependencies in shared environments or containers should audit recent installation history. The popularity of LiteLLM in artificial intelligence projects increases the potential reach of the incident in modern development ecosystems.
Updates on removal of malicious versions
Versions 1.82.7 and 1.82.8 were retired from PyPI after the issue was identified. Mantenedores of the project issued security alerts and guidance for users. The security community is following the case to map possible impacts on repositories that transitively depend on LiteLLM.
Researchers continue to analyze samples of the malware to identify new variants or additional behaviors. Usuários who installed the affected versions need to treat all credentials present on their systems as potentially exposed.