Trend Micro Research indicates that TeamPCP orchestrated a supply chain campaign affecting the LiteLLM AI proxy package hosted on PyPI. Production environments experienced disruptions starting March 24, 2026, characterized by runaway processes and memory exhaustion errors, before engineers identified the malicious versions within the repository.
Investigation revealed that versions 1.82.7 and 1.82.8 contained code designed to harvest credentials across 50 categories and secure remote access within Kubernetes clusters. The payload prioritized cloud credentials and SSH keys, initiating data exfiltration and potential encryption operations before execution ceased.
This incident is part of a broader attack chain spanning PyPI, npm, Docker Hub, GitHub Actions, and OpenVSX. Security tools previously targeted by this actor included Trivy and Checkmarx KICS, demonstrating how upstream dependencies act as critical vectors for ecosystem compromise.
Organizations using the affected package risk unauthorized cluster movement and encrypted data exfiltration. This underscores the necessity of validating upstream dependencies and monitoring behavioral anomalies within AI infrastructure supply chains to mitigate similar threats.