TeamPCP has compromised the popular Python package litellm, publishing backdoored versions 1.82.7 and 1.82.8 on PyPI that include a credential harvester, a Kubernetes lateral-movement toolkit, and a persistent systemd backdoor. The malicious code executes automatically via an import-time injection and a .pth autorun, exfiltrates harvested data to models.litellm[.]cloud as “tpcp.tar.gz”, and is part of a wider supply-chain campaign affecting Trivy, KICS, GitHub Actions, Docker Hub, npm, and Open VSX. #TeamPCP #litellm
Keypoints
- Two malicious litellm versions (1.82.7 and 1.82.8) were published to PyPI on March 24, 2026 after a likely Trivy CI compromise.
- The payload is three-stage: credential harvesting, Kubernetes lateral movement deploying privileged pods, and a persistent systemd backdoor (sysmon.service).
- Version 1.82.7 triggers on module import while 1.82.8 adds a .pth autorun that executes on every Python startup and spawns a detached child process.
- Harvested data is bundled as “tpcp.tar.gz” and exfiltrated to models.litellm[.]cloud; the backdoor polls checkmarx[.]zone for next-stage payloads and respects a youtube[.]com kill switch.
- Recommended actions: audit for affected versions, isolate hosts, remove persistence, check Kubernetes for rogue pods, review egress to indicators, and revoke and rotate exposed credentials.
Read More: https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html