LiteLLM PyPI packages hijacked in TeamPCP supply chain attacks
▼ Summary
– The cybercriminal group TeamPCP compromised the popular LiteLLM library by uploading malicious versions to the PyPI package repository on March 24.
– The malware targeted the library’s sensitive position in the AI stack to steal credentials like API keys from developers and cloud environments.
– This attack followed the same pattern as TeamPCP’s earlier compromises of the Trivy scanner and CheckMarx extensions in March.
– An earlier attack on Aqua was successful because credential rotation was not performed simultaneously, allowing the attacker to retain access.
– The group also compromised NPM packages with a backdoor and a self-propagating worm, and deployed a wiper targeting systems in Iran.
A coordinated series of software supply chain attacks has targeted several prominent open-source projects, with the cybercriminal group known as TeamPCP identified as the likely perpetrator. The group’s latest operation compromised the widely used LiteLLM library, a tool developed by BerryAI that provides a unified interface for applications to interact with various large language models. On March 24, attackers uploaded two malicious versions, 1.82.7 and 1.82.8, to the Python Package Index (PyPI). These packages contained a credential stealer and a malware dropper, posing a severe risk to any developer or system that installed them.
Research scientist Callum McMahon from FutureSearch first identified the issue after the payload caused significant disruption on his local machine. Security analysts at Sonatype highlighted the critical danger, noting that LiteLLM’s position in the AI application stack often grants it access to sensitive configuration data like API keys and environment variables. A compromise at this level allows attackers to intercept valuable secrets without needing to breach the upstream AI service providers directly. The malware’s design indicates a broad targeting strategy aimed at developers, cloud infrastructure, and modern application environments. The tainted packages have now been removed from PyPI.
In response, Sonatype recommends that any organization that installed these versions take immediate action. Steps include identifying and removing the malicious package, rotating all potentially exposed credentials such as SSH keys, cloud tokens, and CI/CD secrets, and conducting a thorough investigation for any persistence mechanisms or additional payloads. In many scenarios, the safest remediation path may be to rebuild affected systems from a known clean state.
This incident is part of a broader campaign. The LiteLLM compromise was linked to a hijacked maintainer account and malicious workflows pushed by the attackers, following an identical pattern to earlier attacks. On March 19, TeamPCP compromised Aqua’s Trivy security scanner and related GitHub Actions. On March 23, they targeted CheckMarx’s VS Code extensions and plugins. Aqua confirmed that the March 19 attack was possible due to an incomplete remediation of a prior incident; although credentials were rotated after an initial disclosure on March 1, the process was not atomic, allowing attackers to potentially exfiltrate newly rotated secrets during the rotation window.
The group’s activities extend beyond Python. They are also believed to have compromised several NPM packages, equipping them with a Python backdoor capable of downloading and executing arbitrary commands, alongside a self-propagating worm to spread the backdoor further. According to researchers at Aikido, the malware also includes a Kubernetes node wiper designed to activate if the target is geolocated in Iran. Security researcher Rami McCarthy of Wiz has compiled a timeline of these interconnected attacks, which experts anticipate may continue to grow in scope.
(Source: Help Net Security)
