Trend Micro Research has uncovered one of the most sophisticated multi-ecosystem supply chain campaigns publicly documented, targeting LiteLLM, a widely-used Python package for AI services. Versions 1.82.7 and 1.82.8 contained malicious code that deployed a three-stage payload: credential harvesting, Kubernetes lateral movement, and persistent backdoor for remote code execution. The attack targeted cloud credentials, SSH keys, and Kubernetes secrets, leading to sensitive data being stolen and encrypted before exfiltration.
The campaign spanned various ecosystems including PyPI, npm, Docker Hub, GitHub Actions, and OpenVSX. TeamPCP's tactics involved leveraging compromised CI/CD pipelines and security scanners like Trivy to escalate privileges and propagate malicious payloads. The attack began with production systems running LiteLLM crashing due to out-of-memory (OOM) errors, pointing to the compromised package.
The technical payload included a credential harvester targeting over 50 categories of secrets, a Kubernetes toolkit for cluster compromise, and a persistent backdoor enabling ongoing remote code execution. This sophisticated attack underscores the need for enhanced security measures in AI proxy services and emphasizes the critical importance of monitoring supply chain dependencies to protect sensitive data and operational integrity.
The compromised LiteLLM versions were deployed on major platforms, indicating the scale and sophistication of this multi-ecosystem attack. The incident highlights the risks associated with relying on third-party tools for AI infrastructure and the need for robust security practices to safeguard sensitive information.