Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise
Trend Micro reveals that TeamPCP compromised the LiteLLM AI proxy package on PyPI, deploying a three-stage malware that stole cloud credentials and Kubernetes secrets in a cascading supply chain attack.
Trend Micro has published a detailed analysis of a supply chain compromise that struck LiteLLM, a popular Python package that serves as a unified gateway to multiple LLM providers and is downloaded 3.4 million times per day. On March 24, production systems running LiteLLM began crashing with runaway processes, pegged CPUs, and out-of-memory errors. The stack traces pointed to versions 1.82.7 and 1.82.8 of the package on PyPI, which were found to contain malicious code that stole cloud credentials, SSH keys, and Kubernetes secrets.
The malicious versions deployed a sophisticated three-stage payload. The first stage was a credential harvester targeting over 50 categories of secrets from cloud platforms, environment variables, and configuration files. The second stage comprised a Kubernetes lateral movement toolkit capable of compromising entire clusters by exploiting stolen service account tokens and API server access. The third stage involved a persistent backdoor providing ongoing remote code execution, encrypted the collected data using AES-256-CBC with an RSA-4096 public key before exfiltration to a typosquatted domain (scan[.]aquasecurtiy[.]org, resolving to 45[.]148[.]10[.]212).
Trend Micro attributes the LiteLLM compromise to the criminal group TeamPCP, which has previously targeted security tools like Trivy and Checkmarx KICS in a broader, multi-ecosystem supply chain campaign. The campaign spanned PyPI, npm, Docker Hub, GitHub Actions, and OpenVSX in a single coordinated operation. While not specifically targeting AI infrastructure, the cascade through developer tooling caught LiteLLM in its blast radius and exposed how AI proxy services that concentrate API keys and cloud credentials become high-value collateral when supply chain attacks compromise upstream dependencies.
The attack chain began with a compromise of the open-source vulnerability scanner Trivy, developed by Aqua Security. In late February 2026, an actor operating under the handle MegaGame10418 exploited a misconfigured pull_request_target workflow in Trivy's CI to exfiltrate the aqua-bot Personal Access Token. Aqua Security disclosed the incident on March 1 and initiated credential rotation, but the rotation "wasn't atomic and attackers may have been privy to refreshed tokens," according to Aqua. On March 19, TeamPCP used still-valid credentials to force-push 76 of 77 release tags in the trivy-action repository and all seven tags in setup-trivy to malicious commits containing a multi-stage credential stealer.
This is a supply chain attack in which the security scanner itself became the entry point. The malicious code scraped the Runner.Worker process memory for secrets, harvested cloud credentials and SSH keys, and exfiltrated the data. The legitimate Trivy scan still ran afterward, producing normal output, leaving no visible indication of compromise. This gave TeamPCP the keys to publish arbitrary versions of LiteLLM to PyPI, exploiting the trust in a widely-used tool to spread the backdoor across the software supply chain.
Trend Micro provides detailed indicators of compromise and MITRE ATT&CK mappings in their full report, and notes that this is an ongoing and developing story. The incident underscores the elevated risk to AI infrastructure as threat actors recognize the concentrated value of AI gateways that aggregate credentials and API keys. Organizations using LiteLLM are urged to immediately audit their environments, rotate any credentials that may have been exposed, and ensure they are running a clean, verified version of the package.
The attack also highlights a broader pattern of TeamPCP's operations. The group has demonstrated deep understanding of Python execution models and adapted rapidly for stealth and persistence. Similarly compromised security tools like Trivy and Checkmarx KICS were used to steal credentials and propagate malicious payloads, leveraging compromised CI/CD pipelines and security scanners to escalate privileges and publish trojanized packages. This multi-ecosystem campaign, spanning developer tooling and runtime dependencies, represents one of the most sophisticated supply chain attacks publicly documented to date.