LiteLLM PyPI backdoored as TeamPCP cascade reaches Python
TeamPCP used credentials harvested from the Trivy compromise to publish trojanised litellm 1.82.7 and 1.82.8 to PyPI on 24 March 2026 (~10:39 and 10:52 UTC). Malicious wheels drop a litellm_init.pth file in site-packages, executing a credential stealer at every Python interpreter start. PyPI quarantined the packages ~40 minutes after publication. Attackers later claimed ~500,000 credentials from this single compromise. LiteLLM averages ~3M daily downloads and ships in ~36% of cloud environments.
- Threat actor
- TeamPCP
- Detected by
- PyPI Security · JFrog · Microsoft Threat Intelligence
- Also known as
- TeamPCP LiteLLM cascade
- Ecosystems
- PyPI
- Packages tracked
- 1
What happened
On 2026-03-24 at approximately 10:39 UTC and 10:52 UTC, TeamPCP published trojanised litellm versions 1.82.7 and 1.82.8 to PyPI. Access was obtained using a BerriAI maintainer token harvested from the upstream Trivy compromise on 2026-03-19. PyPI quarantined the releases roughly 40 minutes after the first publication, but litellm averages ~3M daily downloads and is present in an estimated ~36% of cloud environments running LLM workloads, so the practical exposure is large.
Persistence trick
The malicious wheels include a litellm_init.pth file alongside the legitimate code. Python's site module executes .pth files at every interpreter start, so the stealer runs whenever any Python script on the host starts — not only on import litellm. The implant also writes a sysmon.service user systemd unit, drops binaries at /tmp/pglog, and stages payloads in ~/.config/sysmon/.
Capabilities
- Harvests environment variables, SSH keys,
~/.aws/,~/.config/gcloud/, Azure CLI tokens, kubeconfigs, and discovered DB password files. - On detected Kubernetes hosts, deploys privileged pods named
node-setup-*inkube-systemfor cluster-wide lateral movement. - Exfiltrates to
models.litellm.cloud(a typosquat of the legitimatelitellm.ai) withcheckmarx.zoneas fallback.
Scale
TeamPCP later claimed ~500,000 credentials harvested across the broader cascade, with LiteLLM described as the highest-yield single hop because .pth execution snares secrets from any unrelated Python tooling on the same host. PyPI, BerriAI, and JFrog jointly published IoCs and a remediation playbook on 2026-03-24 and 2026-03-25.
Affected packages (1)
- PyPI
litellm1.82.71.82.8
Impact
- Env vars, SSH keys, AWS/GCP/Azure credentials, K8s tokens, DB passwords harvested
- .pth file ensures execution on every interpreter init, not only on install
- Privileged K8s pod deployment for cluster-wide lateral movement
- systemd user persistence (sysmon.service)
What to do
- 1Downgrade to
litellm≤1.82.6or upgrade to a clean post-incident release - 2Delete
litellm_init.pthfrom site-packages and rotate every reachable secret - 3Remove the
sysmon.servicesystemd user unit and/tmp/pglog,~/.config/sysmon/ - 4Remove rogue
node-setup-*pods inkube-systemand rotate cluster credentials - 5Block
models.litellm.cloudandcheckmarx.zoneat the network edge