{"id":377,"date":"2026-03-24T20:19:21","date_gmt":"2026-03-24T20:19:21","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=377"},"modified":"2026-03-24T20:19:21","modified_gmt":"2026-03-24T20:19:21","slug":"teampcp-backdoors-litellm-versions-1-82-7-1-82-8-likely-via-trivy-ci-cd-compromise","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=377","title":{"rendered":"TeamPCP Backdoors LiteLLM Versions 1.82.7\u20131.82.8 Likely via Trivy CI\/CD Compromise"},"content":{"rendered":"
\n
<\/a><\/div>\n

TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has now compromised a popular Python package named litellm<\/a>, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.<\/p>\n

Multiple security vendors, including Endor Labs<\/a> and JFrog<\/a>, revealed that litellm versions 1.82.7 and 1.82.8 were published<\/a> on March 24, 2026, likely stemming from the package’s use of Trivy<\/a> in their CI\/CD workflow. Both the backdoored versions have since been removed from PyPI.<\/p>\n

\u00abThe payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling ‘checkmarx[.]zone\/raw’ for additional binaries,\u00bb Endor Labs researcher Kiran Raj said.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

As observed in previous cases, the harvested data is exfiltrated as an encrypted archive (\u00abtpcp.tar.gz\u00bb) to a command-and-control domain named \u00abmodels.litellm[.]cloud\u00bb via an HTTPS POST request.<\/p>\n

In the case of 1.82.7, the malicious code is embedded in the \u00ablitellm\/proxy\/proxy_server.py\u00bb file, with the injection performed during or after the wheel build process. The code is engineered to be executed at module import time, such that any process that imports \u00ablitellm.proxy.proxy_server\u00bb triggers the payload without requiring any user interaction.<\/p>\n

The next iteration of the package adds a \u00abmore aggressive vector\u00bb by incorporating a malicious \u00ablitellm_init.pth\u00bb at the wheel root, causing the logic to be executed automatically on every Python process startup in the environment, not just when litellm is imported.<\/p>\n

Another aspect that makes 1.82.8 more dangerous is the fact that the .pth launcher spawns a child Python process via subprocess.Popen<\/a>, which allows the payload to be run in the background.<\/p>\n

\u00abPython .pth files placed in site-packages are processed automatically by site.py at interpreter startup,\u00bb Endor Labs said. \u00abThe file contains a single line that imports a subprocess and launches a detached Python process to decode and execute the same Base64 payload.\u00bb<\/p>\n

The payload decodes to an orchestrator that unpacks a credential harvester and a persistence dropper. The harvester also leverages the Kubernetes service account token (if present) to enumerate all nodes in the cluster and deploy a privileged pod to each one of them. The pod then chroots<\/a> into the host file system and installs the persistence dropper as a systemd user service on every node.<\/p>\n

The systemd service is configured to launch a Python script (\u00ab~\/.config\/sysmon\/sysmon.py\u00bb) \u2013 the same name used in the Trivy compromise \u2013 that reaches out to \u00abcheckmarx[.]zone\/raw\u00bb every 50 minutes to fetch a URL pointing to the next-stage payload. If the URL contains youtube[.]com, the script aborts execution \u2013 a kill switch pattern common to all the incidents observed so far.<\/p>\n

\u00abThis campaign is almost certainly not over,\u00bb Endor Labs said. \u00abTeamPCP has demonstrated a consistent pattern: each compromised environment yields credentials that unlock the next target. The pivot from CI\/CD (GitHub Actions runners) to production (PyPI packages running in Kubernetes clusters) is a deliberate escalation.\u00bb<\/p>\n

With the latest development, TeamPCP has waged a relentless supply chain attack campaign that has spawned five ecosystems, including GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, to expand its targeting footprint and bring more and more systems into its control.<\/p>\n

\"\"<\/a><\/div>\n

\u00abTeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems,\u00bb Socket said<\/a>. \u00abThis is a sustained operation targeting high-leverage points in the software supply chain.\u00bb<\/p>\n

In a message posted<\/a> on their Telegram channel, TeamPCP said: \u00abThese companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke, as a result we’re gonna be around for a long time stealing terrabytes [sic] of trade secrets with our new partners.\u00bb<\/p>\n

\u00abThe snowball effect from this will be massive, we are already partnering with other teams to perpetuate the chaos, many of your favourite security tools and open-source projects will be targeted in the months to come so stay tuned,\u00bb the threat actor added<\/a>.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Users are advised to perform the following actions to contain the threat –<\/p>\n