LiteLLM PyPI packages compromised in expanding TeamPCP supply chain attacks

A slew of supply chain attacks against popular open source tools and packages appears to have been orchestrated by TeamPCP, a cybercriminal group that rose to prominence in late 2025.

The latest victim of the group is BerryAI’s popular LiteLLM library, a unified interface that makes it easier for apps to switch between various LLMs: on March 24, TeamPCP uploaded two compromised versions (1.82.7 and 1.82.8) on PyPI that included a credential stealer and a malware dropper.

Callum McMahon, a research scientist at FutureSearch, was the first to raise the alarm, after he loaded the malicious payload and it caused havoc on his local machine.

“Because LiteLLM typically sits directly between applications and multiple AI service providers, it often has access to API keys, environment variables, and other sensitive configuration data. Compromising a package in this position allows attackers to intercept and exfiltrate valuable secrets without needing to directly breach upstream systems,” Sonatype researchers noted.

“Given the package’s place in the AI stack, cybercriminals are looking to take advantage of enterprises leveraging open source to rapidly develop and deploy AI applications. The design of the malware suggests a broad targeting strategy aimed at developers, cloud environments, and modern application infrastructure.”

The malicious LiteLLM versions have since been removed from PyPI.

Sonatype advises organizations that installed or executed them to identify and remove the malicious package from affected systems, rotate all potentially exposed credentials (SSH keys, cloud tokens, CI/CD secrets, crypto wallets, etc.), and conduct a thorough investigation to unearth persistence mechanisms and additional payloads dropped during the compromise.

“In many cases, rebuilding affected systems from a known clean state may be the safest course of action,” they added.

A series of supply chain attacks

The compromise of LiteLLM on PyPI was subsequently tied to a compromised maintainer account and malicious workflows pushed by the attackers.

The attack followed the same playbook that TeamPCP used to compromise Aqua’s Trivy security scanner and related GitHub Actions (automated tasks) on March 19, and CheckMarx’s VS Code extensions/plugins and GitHub Actions on March 23.

Both companies have outlined actions that affected organizations should take and Aqua has confirmed that the compromise happened due to an incomplete containment/remediation of an earlier supply chain attack.

“Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have used a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack,” the company explained.

Finally, TeamPCP is also believed to have compromised a number of NPM packages, which were equipped with a Python backdoor that downloads and executes “whatever it’s told to”, and a self-propagation tool (worm) for spreading the backdoor further to other NPM packages.

And, according to Aikido researchers, they also deployed a Kubernetes node or local machine wiper when the target is (geo)located in Iran.

Rami McCarthy, Principal Security Researcher at Wiz, has compiled a timeline of the attacks, which is likely to expand in the coming days.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!