Supply Chain Attack Inserts Backdoor into LiteLLM v1.82.7‑1.82.8, Exposing Millions of Developers to Credential Theft
What Happened — Threat actor TeamPCP compromised two releases of the popular Python library LiteLLM (versions 1.82.7 and 1.82.8) on PyPI. Malicious code was injected during the wheel‑build process, creating a multi‑stage payload that harvests SSH keys, cloud tokens, Kubernetes secrets, wallets and .env files, spreads via privileged pods, and installs a persistent systemd backdoor.
Why It Matters for TPRM —
- Supply‑chain compromise of a widely‑used open‑source component can cascade to any downstream vendor that bundles LiteLLM.
- Credential‑stealing payload gives attackers footholds in cloud and Kubernetes environments, raising the risk of data exfiltration and service disruption for third‑party customers.
Who Is Affected — SaaS platforms, cloud‑native services, AI/ML tooling vendors, and any organization that integrates LiteLLM into production pipelines (across finance, healthcare, retail, etc.).
Recommended Actions —
- Immediately audit all environments for LiteLLM v1.82.7‑1.82.8 and downgrade to v1.82.6 or later patched releases.
- Verify integrity of CI/CD pipelines (especially Trivy scans) and enforce signed package verification.
- Rotate any credentials that may have been exposed (SSH keys, cloud tokens, Kubernetes secrets, wallets).
Technical Notes — Attack vector: malicious injection via third‑party dependency (PyPI). No CVE was disclosed; the malicious code resides in liteLLM/proxy/proxy_server.py (12 lines) and a .pth file in v1.82.8 that triggers on any Python interpreter start. Payload uses subprocess calls to avoid detection, encrypts stolen data before exfiltration, and establishes a systemd service for persistence. Source: Security Affairs