Supply Chain Attack: TeamPCP Inserts Backdoors into litellm Python Package Versions 1.82.7‑1.82.8
What Happened – Threat actor TeamPCP compromised the open‑source litellm Python library, publishing malicious versions 1.82.7 and 1.82.8. The packages contain a credential harvester, a Kubernetes lateral‑movement toolkit, and a persistent backdoor, likely introduced via a compromised Trivy CI/CD pipeline.
Why It Matters for TPRM –
- Supply‑chain compromise can affect any downstream vendor that integrates litellm into their products or services.
- Malicious code can exfiltrate cloud credentials, enabling further attacks on your own environment.
- The incident demonstrates the risk of trusting third‑party package registries without additional integrity checks.
Who Is Affected – SaaS developers, AI/ML platform providers, cloud‑native tooling vendors, and any organization that consumes litellm as a dependency (across finance, healthcare, technology, and other sectors).
Recommended Actions –
- Identify all internal projects that depend on litellm and verify the exact version in use.
- Immediately block or roll back to a known‑good version (≤ 1.82.6) and re‑sign binaries where possible.
- Enforce strict SBOM checks and provenance verification for all third‑party packages.
- Review CI/CD pipeline security, especially for tools like Trivy that could be a vector for future compromises.
Technical Notes – The malicious payload is delivered as a standard Python wheel, executing a credential‑harvesting script on import and installing a Kubernetes‑focused lateral‑movement module that can persist via a backdoor service. No public CVE has been assigned; the attack leverages a supply‑chain dependency injection rather than a software vulnerability. Source: The Hacker News