Threat Research

LiteLLM compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign

DataDogHQ
LiteLLM compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign
On March 24, 2026, legitimate LiteLLM PyPI releases 1.82.7 and 1.82.8 were compromised and distributed malicious payloads that collected credentials, installed persistence, and exfiltrated data. Datadog links the LiteLLM incident to a five-day TeamPCP supply-chain campaign that began with the Trivy compromise and spread through npm, Checkmarx, and other ecosystems; treat any host or CI that installed these versions as a full-credential exposure. #LiteLLM #TeamPCP

Keypoints

  • Two real LiteLLM PyPI releases (1.82.7 and 1.82.8) were backdoored on March 24, 2026 and later quarantined by PyPI.
  • Datadog attributes the LiteLLM compromise to a multi-stage TeamPCP supply-chain campaign that began with a malicious Trivy release on March 19 and moved through npm and Checkmarx artifacts.
  • The malicious LiteLLM payload collected a wide range of secrets (env vars, SSH keys, cloud creds, Kubernetes tokens), encrypted them with AES-256 + RSA-4096, and exfiltrated them to attacker-controlled endpoints (e.g., models.litellm[.]cloud).
  • Version 1.82.7 had injected code inside litellm/proxy/proxy_server.py (executes when imported); 1.82.8 included a malicious litellm_init.pth that executes automatically at Python interpreter startup.
  • The payload installed persistence (user systemd unit sysmon.service and ~/.config/sysmon/sysmon.py), polled follow-on C2 (checkmarx[.]zone/raw), and could create privileged node-setup-* pods or DaemonSets to spread or destroy Kubernetes hosts.
  • Response guidance: treat installs as full-credential exposures, scope hosts/CI/workloads, rotate reachable credentials, hunt for persistence and outbound connections, remove compromised versions, and rebuild from known-good images.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Compromised legitimate projects and published malicious releases across registries and vendor tooling. [‘…a compromise of the real litellm project on PyPI…’]
  • [T1003 ] Credential Dumping – Malicious workflows and payloads dumped Runner.Worker memory and scraped common credential locations to harvest tokens, keys, and secrets. [‘…dumped Runner.Worker memory, scraped common credential locations…’]
  • [T1027 ] Obfuscated Files or Information – Attackers embedded base64-encoded payloads inside package source files to hide malicious logic. [‘…Malicious base64-encoded payload injected into proxy_server.py…’]
  • [T1546 ] Event Triggered Execution – The adversary used a Python .pth startup hook to execute code automatically at interpreter startup. [‘…includes a new litellm_init.pth file inside the wheel…executable lines in .pth files run during interpreter startup.’]
  • [T1543.003 ] Create or Modify System Process: Systemd Service – The payload installed a user systemd unit named sysmon.service to maintain persistence. [‘…installs a user systemd unit called sysmon.service.’]
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Malware polled and exfiltrated data over HTTP(S) to attacker-controlled domains and endpoints. [‘…the data is then sent to models.litellm[.]cloud using the header X-Filename: tpcp.tar.gz.’ ‘…polls https://checkmarx[.]zone/raw…’]
  • [T1567 ] Exfiltration Over Web Service – Encrypted archives of harvested secrets were sent to attacker web endpoints and, as a fallback, uploaded to public repos. [‘…exfiltrated the data to scan.aquasecurtiy[.]org…uploaded the stolen data there instead.’]
  • [T1485 ] Data Destruction – On targets identified as Iranian the campaign deployed a kamikaze container that deleted the host filesystem and force-rebooted nodes. [‘…ran a container named kamikaze that deleted the host filesystem and force-rebooted the node.’]

Indicators of Compromise

  • [Domain ] Exfiltration and C2 endpoints – models.litellm[.]cloud, checkmarx[.]zone/raw, and several related domains and Cloudflare tunnel subdomains (e.g., *.trycloudflare[.]com, aquasecurtiy[.]org).
  • [Package / Version ] Compromised releases and affected packages – litellm==1.82.7, litellm==1.82.8 (confirmed compromised); Trivy v0.69.4 and many npm packages were also abused in the campaign.
  • [File / Path ] Persistence and staged payload artifacts – litellm_init.pth, ~/.config/sysmon/sysmon.py, ~/.config/systemd/user/sysmon.service, /tmp/pglog, /tmp/.pg_state.
  • [HTTP Header ] Exfiltration marker – X-Filename: tpcp.tar.gz observed in exfiltration to attacker-controlled endpoints.
  • [Container / Pod names ] Kubernetes indicators – node-setup-* privileged pod naming pattern, container names kamikaze and provisioner (used for destructive or backdoor paths).
  • [GitHub / Repo/Tag ] Repository and tag manipulation – tpcp-docs public repo used as a fallback exfiltration store; aquasecurity/trivy-action tags and other GitHub tags were force-pushed to malicious commits.

Read more: https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/