TeamPCP, a criminal group, orchestrated one of the most sophisticated and multifaceted supply chain campaigns published. LiteLLM, widely used as a gateway to multiple LLM providers, was compromised on PyPI with two versions containing malicious code. These versions implemented a three-phase payload: credential theft, lateral movement in Kubernetes, and a persistent backdoor for remote code execution. Sensitive cloud platform credentials, SSH keys, and Kubernetes confidential information were stolen and encrypted before the data exfiltration.
Your AI Gateway: A Backdoor in LiteLLM's Supply Chain Commitment
Summary: TeamPCP carried out one of the most sophisticated and multifaceted supply chain campaigns publicly documented, compromising LiteLLM and revealing how AI proxy services that aggregate API keys and cloud credentials become high-value targets when an attack campaign compromises upstream dependencies.
Key facts
- LiteLLM, a widely used proxy package on PyPI, was compromised with versions 1.82.7 and 1.82.8 that contained malicious code.
- The malicious payload implemented in these versions consisted of three phases: credential theft, Kubernetes lateral movement, and a persistent backdoor for remote code execution.
- TeamPCP, a criminal group, demonstrated a deep understanding of Python runtime models, quickly adapting their attack to achieve stealth and persistence.
Why it matters
This compromise affects AI environments that centralize cloud and API credentials, highlighting the importance of rigorously monitoring open-source packages and ensuring their integrity.