TeamPCP Compromises LiteLLM PyPI Package in Expanding Supply Chain Campaign
The TeamPCP threat group has compromised the LiteLLM Python package on PyPI, stealing SSH keys, cloud credentials, and Kubernetes secrets from environments with over 95 million monthly downloads.
The TeamPCP threat group has expanded its multi-ecosystem supply chain campaign by compromising the LiteLLM Python package on PyPI, a widely used library with over 95 million monthly downloads. The malicious versions, 1.82.7 and 1.82.8, were uploaded on March 24, 2026, and contained hidden malware designed to harvest credentials, move laterally across Kubernetes environments, and install persistent backdoors. Both versions have since been removed from PyPI, and version 1.82.6 is currently considered the last clean release.
Security researchers from Endor Labs and JFrog analyzed the malware, revealing a sophisticated three-stage operation. The malicious code executed automatically when certain package components were imported, while the later version introduced a more aggressive mechanism that triggered whenever any Python process started in an affected environment. This meant the malware could run silently in the background even if the package was not actively used, making detection significantly more difficult.
The malware collected a wide range of sensitive data, including SSH keys and configuration files, cloud credentials from AWS, GCP, and Azure, Kubernetes secrets and configuration files, database credentials, environment files, cryptocurrency wallets, TLS and SSL private keys, and shell histories. The stolen data was encrypted and transmitted to attacker-controlled infrastructure, allowing attackers to access compromised environments later through persistent backdoors.
Researchers attributed the compromise to TeamPCP, the same threat group linked to earlier incidents involving the Trivy vulnerability scanner and malicious Docker images distributed through Docker Hub. The group has been running a multi-stage supply chain campaign across several developer ecosystems, including GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI.
Brett Leatherman, FBI Assistant Director of the Cyber Division, warned on LinkedIn: "Given the volume of stolen credentials across likely thousands of downstream environments, expect an increase in breach disclosures, follow-on intrusions, and extortion attempts in the coming weeks." Investigators believe the attackers are deliberately targeting developer and security tools because they often run with elevated privileges and have access to sensitive credentials and infrastructure.
Security experts urged organizations that installed the affected LiteLLM versions to assume credentials were exposed and to rotate all secrets, review systems for signs of compromise, and monitor for follow-on intrusions. The incident underscores the growing risk of supply chain attacks targeting the software development pipeline, where a single compromised package can cascade into widespread credential theft and lateral movement across enterprise environments.