In a significant escalation of cyber warfare targeting open-source infrastructure, the notorious threat actor TeamPCP has successfully infiltrated LiteLLM, a widely-used Python package. This breach, affecting versions 1.82.7 and 1.82.8, introduced a sophisticated multi-stage backdoor designed to harvest credentials, facilitate Kubernetes lateral movement, and establish persistent access. The incident, brought to light by security researchers at Endor Labs and JFrog, underscores the critical vulnerabilities within software supply chains.
The Anatomy of a Three-Stage Attack
The malicious payload deployed by TeamPCP is a masterclass in stealth and persistence, executing a meticulously planned three-stage assault:
1. The Credential Harvester
At its core, the initial stage acts as a potent credential harvester. It systematically sweeps compromised systems for sensitive data, including SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and critical .env files. This treasure trove of information is then exfiltrated as an encrypted archive (tpcp.tar.gz) to a command-and-control (C2) domain, models.litellm[.]cloud
, via an HTTPS POST request. This method mirrors tactics observed in TeamPCP’s previous campaigns, indicating a consistent operational methodology.
2. Kubernetes Lateral Movement Toolkit
Beyond data exfiltration, the attack leverages a specialized Kubernetes lateral movement toolkit. This component is engineered to exploit any available Kubernetes service account tokens, enumerating all nodes within a cluster. It then deploys privileged pods to each node, effectively gaining deep control over the Kubernetes environment. This allows the attackers to move freely and establish a pervasive presence across the infrastructure.
3. Persistent Systemd Backdoor
The final stage ensures long-term access through a persistent systemd backdoor, named sysmon.service. This backdoor, reminiscent of the one used in the Trivy compromise, is configured to periodically poll checkmarx[.]zone/raw for additional binaries or instructions. A notable “kill switch” mechanism is embedded: if the fetched URL contains youtube[.]com, the script aborts execution, a pattern observed across all TeamPCP incidents to date.
How the Backdoor Infiltrated LiteLLM
The compromise is believed to have originated from LiteLLM’s use of Trivy in their CI/CD workflow, a common vector for supply chain attacks. The malicious versions 1.82.7 and 1.82.8 were published on March 24, 2026, and have since been removed from PyPI.
- Version 1.82.7: The malicious code was subtly embedded within the
litellm/proxy/proxy_server.pyfile. The injection likely occurred during or after the wheel build process. Crucially, this code was designed to execute at module import time, meaning any process importinglitellm.proxy.proxy_serverwould inadvertently trigger the payload without requiring direct user interaction. - Version 1.82.8: This iteration introduced a more aggressive vector. TeamPCP incorporated a malicious
litellm_init.pthfile at the wheel root. Python’s interpreter automatically processes.pthfiles insite-packagesat startup. This meant the payload would execute automatically on every Python process startup in the environment, not just when LiteLLM was explicitly imported. Furthermore, the
.pthlauncher spawned a child Python process viasubprocess.Popen, allowing the payload to run discreetly in the background, making detection even more challenging.
TeamPCP’s Relentless Campaign and Bold Claims
This attack on LiteLLM is not an isolated incident but part of a broader, relentless supply chain attack campaign orchestrated by TeamPCP. The group has already targeted five major ecosystems: GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, consistently expanding its footprint and control over critical developer infrastructure. As Endor Labs aptly noted, “each compromised environment yields credentials that unlock the next target,” highlighting a deliberate and escalating strategy from CI/CD runners to production Kubernetes clusters.
TeamPCP has openly claimed responsibility for these attacks, even posting a defiant message on their Telegram channel. They mocked the state of modern security research, stating, “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke.” They further boasted about “stealing terrabytes [sic] of trade secrets” and promised a “massive snowball effect,” vowing to partner with other teams to “perpetuate the chaos” and target “many of your favourite security tools and open-source projects in the months to come.”
Urgent Recommendations for Users
Given the severity and widespread nature of this campaign, users of LiteLLM and potentially affected systems are urged to take immediate action:
- Audit Environments: Scrutinize all environments for the presence of LiteLLM versions 1.82.7 or 1.82.8. If found, immediately revert to a clean, uncompromised version.
- Isolate Affected Hosts: Any host found running the malicious versions should be isolated from the network to prevent further lateral movement.
- Kubernetes Cluster Inspection: Check Kubernetes clusters for any rogue or unauthorized privileged pods.
- Network Log Review: Thoroughly review network logs for any egress traffic to the identified command-and-control domains:
models.litellm[.]cloudandcheckmarx[.]zone. - Persistence Mechanism Removal: Identify and remove any installed persistence mechanisms, such as the
sysmon.service. - CI/CD Pipeline Audit: Review CI/CD pipelines, especially those utilizing tools like Trivy and KICS, for any signs of compromise during the relevant windows.
- Credential Rotation: Revoke and rotate all credentials that may have been exposed or harvested, including SSH keys, cloud credentials, and API tokens.
The ongoing campaign by TeamPCP serves as a stark reminder of the evolving threats in the software supply chain. Vigilance and proactive security measures are paramount to safeguarding digital infrastructure against such sophisticated adversaries.
For more details, visit our website.
Source: Link
Leave a comment