Backdoored LiteLLM PyPI Package Exposes Credentials and Cloud Tokens for Hundreds of Thousands of Users
What Happened — The TeamPCP hacking group compromised the popular open‑source LiteLLM Python package on PyPI, publishing malicious versions (1.82.7 and 1.82.8) that execute a hidden payload when imported. The payload harvests SSH keys, cloud tokens, Kubernetes secrets, crypto wallets and .env files, then attempts lateral movement across Kubernetes clusters and installs a persistent systemd backdoor.
Why It Matters for TPRM —
- A supply‑chain compromise of a widely‑used library can cascade to any downstream vendor or service that depends on it.
- Stolen credentials give threat actors footholds in cloud environments, increasing the risk of data exfiltration and ransomware.
- The incident demonstrates the need for rigorous third‑party code‑signing and provenance checks.
Who Is Affected — Cloud‑native SaaS providers, AI/ML platform integrators, DevOps tooling vendors, and any organization that incorporates LiteLLM into production workloads (technology, finance, healthcare, etc.).
Recommended Actions —
- Identify all internal projects that have installed LiteLLM 1.82.7/1.82.8 or any version released after March 24 2026.
- Immediately remove the compromised packages and replace them with a clean, verified version.
- Rotate all harvested credentials (SSH keys, cloud API tokens, Kubernetes secrets, crypto wallets).
- Enforce strict SBOM and provenance validation for all third‑party Python dependencies.
Technical Notes — Attack vector: malicious PyPI upload (third‑party dependency). No public CVE; the malicious code resides in litellm/proxy/proxy_server.py and a .pth file that auto‑executes on interpreter start. Data types stolen include authentication tokens, SSH keys, Kubernetes secrets, crypto wallet files, and environment configuration files. Source: BleepingComputer