LiteLLM PyPI Supply Chain Attack Steals Cloud Credentials

The LiteLLM compromise represents a critical inflection point in software supply chain security because it demonstrates how a single compromised credential can cascade across multiple ecosystems in a matter of weeks. The attack chain began with Trivy, moved to Checkmarx, and culminated in LiteLLM—each compromise providing the credentials and access needed for the next. This is not a novel concept, but the speed, scale, and sophistication of TeamPCP's campaign sets a new benchmark for supply chain threat actors.

The incentive structure driving these attacks is clear: AI infrastructure packages like LiteLLM sit at critical chokepoints in modern cloud architectures. With 97 million monthly downloads and presence in 36% of cloud environments, compromising a single package yields access to cloud credentials, API keys, and Kubernetes configurations across thousands of organizations simultaneously. The economics overwhelmingly favor attackers—a few hours of access to a popular package can harvest credentials that would take years to obtain through traditional intrusion methods. The fact that TeamPCP specifically targeted security scanning tools (Trivy, Checkmarx) before moving to AI infrastructure suggests deliberate strategy: neutralize the detection layer before attacking the target.

The broader driver is the AI industry's explosive growth outpacing its security maturity. Organizations are rapidly adopting LLM orchestration tools like LiteLLM without adequately vetting their supply chains, creating a massive attack surface that threat actors are now systematically exploiting.

The attack unfolded through a carefully orchestrated chain of CI/CD compromises. TeamPCP first breached Aqua Security's Trivy scanner on February 28, 2026, using an AI-powered attack tool called hackerbot-claw. This gave them access to CI/CD secrets, including credentials that connected Trivy's pipeline to other projects. When the Trivy breach was partially cleaned up but secrets were not fully rotated, TeamPCP leveraged the residual access to compromise Checkmarx's KICS GitHub Action on March 23 and, critically, to obtain LiteLLM's PyPI publishing credentials.

The payload itself was deployed in two iterations. Version 1.82.7 embedded a base64-encoded payload directly in litellm/proxy/proxy_server.py—a file commonly imported by LiteLLM users. Version 1.82.8 escalated the technique by including a .pth file (litellm_init.pth) in the package. Python .pth files are processed automatically by the site module during interpreter startup, meaning the malicious code executes every time Python runs in that environment, regardless of whether LiteLLM is explicitly imported. This persistence mechanism survives even if the malicious LiteLLM package is uninstalled, as long as the .pth file remains in the site-packages directory.

The payload operated in three stages: first, it harvested sensitive files including SSH keys (~/.ssh/), cloud credentials (~/.aws/, ~/.gcp/, ~/.azure/), Kubernetes configs (~/.kube/config), cryptocurrency wallets, and .env files. Second, it encrypted the exfiltrated data using AES-256-CBC with RSA-4096 key wrapping before transmitting it to attacker-controlled infrastructure. Third, it installed a persistent systemd service that polled checkmarx.zone every 50 minutes for additional commands, and in Kubernetes environments, deployed privileged pods to every node for lateral movement across the cluster.

The scale of potential exposure is staggering. LiteLLM receives 97 million downloads per month (approximately 3.4 million daily), with 480 million total PyPI downloads to date. Wiz Research found the package present in 36% of cloud environments they monitor. While the malicious versions were available for only approximately 3 hours, the daily download rate means tens of thousands of installations could have occurred in that window. At least 1,000 SaaS environments were confirmed impacted.

The broader TeamPCP campaign compromised 76 of 77 Trivy version tags on GitHub, 35 Checkmarx KICS Action tags, and 66+ npm packages across 5 different ecosystems. This is not an isolated incident but a coordinated campaign targeting the software supply chain at multiple points simultaneously.

For context, the 2024 Ultralytics compromise—which followed a similar CI/CD attack pattern—affected a package with far fewer monthly downloads. The LiteLLM attack represents an order-of-magnitude escalation in both target value and potential blast radius. The 10+ downstream projects that issued emergency patches (including DSPy, MLflow, OpenHands, and CrewAI) represent some of the most widely used AI/ML frameworks, amplifying the transitive dependency risk that Andrej Karpathy highlighted.

In the short term, any organization that installed LiteLLM 1.82.7 or 1.82.8 faces a critical incident response. Beyond uninstalling the package, they must check for and remove the persistent .pth file and systemd backdoor, rotate all potentially exposed credentials (cloud, SSH, Kubernetes, API keys), audit Kubernetes clusters for unauthorized privileged pods, and scan for lateral movement. The 3-hour window creates urgency but also a bounded scope for investigation.

In the medium term, LiteLLM's decision to pause all releases pending a supply chain review will disrupt the AI development ecosystem. Organizations relying on LiteLLM for production LLM API routing will need to freeze their current (clean) versions or evaluate alternatives. The 10+ downstream projects that issued emergency patches demonstrate the cascading disruption a single compromised dependency can cause. Google Mandiant's engagement suggests the forensic investigation could reveal additional compromised infrastructure.

In the long term, this attack will accelerate adoption of OIDC-based PyPI publishing (Trusted Publishers), which eliminates long-lived API tokens from CI/CD pipelines. It will also drive demand for runtime integrity monitoring, .pth file auditing, and more granular dependency pinning with hash verification. The Python ecosystem may implement structural changes to how .pth files are processed, given their now-demonstrated risk as an attack surface. The broader trend of supply chain attacks targeting AI infrastructure specifically is likely to intensify as AI adoption grows.

This attack crystallizes a fundamental tension in the modern software ecosystem: the tools we build to accelerate development and the tools we build to secure it share the same fragile trust infrastructure. TeamPCP's campaign is notable not just for its technical sophistication but for its strategic targeting—compromising security scanners (Trivy, Checkmarx) before moving to high-value application packages (LiteLLM). By poisoning the security tools first, they degraded the ecosystem's ability to detect subsequent attacks.

The AI infrastructure layer is particularly vulnerable because it sits at the intersection of two trends: rapid adoption driven by competitive pressure, and deep integration with sensitive systems (cloud APIs, model serving infrastructure, data pipelines). LiteLLM's presence in 36% of cloud environments illustrates how quickly AI tooling has become load-bearing infrastructure, often without commensurate security investment.

As Guillaume Valadon of GitGuardian emphasized, the core failure was not the initial breach but the incomplete remediation that allowed one compromise to chain into the next. This pattern—where partial cleanup enables campaign persistence—is the defining challenge of supply chain security. The industry must shift from reactive incident response to proactive credential lifecycle management, where every secret exposed in a breach is rotated immediately and comprehensively, no matter the operational cost. The alternative, as this campaign demonstrates, is an expanding blast radius where each compromise fuels the next.