Threat Research

An AI gateway designed to steal your data

SecureList
In March 2026 attackers trojanized the popular Python library LiteLLM by uploading malicious versions to PyPI and OpenVSX that executed Base64-encoded payloads to collect secrets and deploy further stages. The malware harvested local files and cloud runtime credentials (including AWS IMDS), sought crypto wallets, established persistence locally and in Kubernetes, and exfiltrated encrypted archives to a remote C2. #LiteLLM #Checkmarx

Keypoints

  • Attackers uploaded trojanized LiteLLM packages (litellm==1.82.7 and litellm==1.82.8) to PyPI and added a .pth-based persistence vector in version 1.82.8.
  • Malicious code used Base64-encoded Python payloads that wrote and executed p.py, launched an in-memory main payload, and wrote encrypted output and keys to disk for exfiltration.
  • The payload performed recursive file-system scans to collect SSH keys, .env files, Git accounts, AWS/Kubernetes/database/WireGuard configurations, TLS keys/certificates, and crypto wallet data.
  • The malware attempted to access cloud runtime credentials via IMDS and ECS metadata endpoints (169.254.169.254 and 169.254.170.2) to steal temporary AWS credentials.
  • For Kubernetes targets it attempted privilege escalation by creating privileged pods with hostPath mounts and deployed a sysmon.py service via systemd to maintain persistence on nodes.
  • TrojANized Checkmarx/OpenVSX extensions delivered a NodeJS variant (checkmarx-util) that implemented local persistence and smaller target scope, expanding compromise of development environments.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Compromised package distribution to deliver malicious library versions (‘malicious LiteLLM versions litellm==1.82.7 and litellm==1.82.8 were uploaded to the registry’)
  • [T1059.006 ] Command and Scripting Interpreter: Python – Used Base64-encoded Python scripts (p.py and payloads) executed in-memory and on import (‘the infected script saved this code alongside itself as a p.py file and immediately executed it’)
  • [T1547 ] Boot or Logon Autostart Execution – Achieved auto-execution via a .pth file so code ran every time the Python interpreter started (‘a .pth file was added that was able to execute the code every time the interpreter started’)
  • [T1543.003 ] Create or Modify Systemd Service – Registered and ran sysmon.py as a systemd service for persistence on Linux/Kubernetes nodes (‘registers it via systemd’ / ‘is also registered as a service via systemd’)
  • [T1005 ] Data from Local System – Performed recursive directory scans and read file contents to collect sensitive configuration files and keys (‘a recursive scan of the working directories … In each directory, the script scanned the contents of files’)
  • [T1082 ] System Information Discovery – Collected system information and recorded it for exfiltration (‘the script collected system information and also saved it to the file’)
  • [T1560 ] Archive Collected Data – Encrypted output and key were combined into a tpcp.tar.gz archive prior to exfiltration (‘The encrypted key and the output were combined into a tpcp.tar.gz archive and sent to the attackers’ remote server’)
  • [T1041 ] Exfiltration Over C2 Channel – Sent encrypted archives and polled a C2 domain for payloads (checkmarx[.]zone) to retrieve additional stages (‘sent to the attackers’ remote server’ / ‘periodically contacting the C2 node checkmarx[.]zone/raw’)
  • [T1611 ] Escape to Host (Container Escape) – Attempted to escape containers by creating privileged pods and mounting the node root via hostPath to operate at node level (‘it configures a privileged pod … and mounts the node’s root filesystem via hostPath. This allows it to escape the container and perform actions at the node level’)
  • [T1036.005 ] Masquerading – Disguised a payload as a legitimate system component (sysmon.py) to blend in with normal system files (‘saves a Base64-encoded script disguised as a legitimate system component to the Kubernetes node’s disk at the path /root/.config/sysmon/sysmon.py’)

Indicators of Compromise

  • [Domain ] C2 and malicious hosting – checkmarx[.]zone, models[.]litellm[.]cloud
  • [Package names ] TrojANized PyPI/OpenVSX packages and extensions – litellm==1.82.7, litellm==1.82.8 (also ast-results 2.53.0 and cx-dev-assist 1.7.0 as trojanized OpenVSX extensions)
  • [File hashes ] Known malicious artifact hashes – 85ED77A21B88CAE7…D080FCCC8E3A03896F45726203074AE225D (infected package), F5560871F6002982…5E45E74 (malicious script)
  • [File paths / filenames ] Persistence and payload files – /root/.config/sysmon/sysmon.py, ~/.config/sysmon/sysmon.py, litellm_init.pth, proxy_server.py, p.py, tpcp.tar.gz
  • [URLs ] Hosted payload/resource locations – checkmarx[.]zone/static/checkmarx-util-1.0.4.tgz (NodeJS payload download)
  • [IP addresses ] Cloud metadata endpoints targeted for runtime credentials – 169.254.169.254 (AWS IMDS), 169.254.170.2 (Amazon ECS credentials)

Read more: https://securelist.com/litellm-supply-chain-attack/119257/