MALICIOUS LiteLLM versions 1.82.7 and 1.82.8 were backdoored, most likely through a Trivy CI/CD breach, and subsequently removed from PyPI, according to Endor Labs’ report. Endor Labs attributes the compromise to TeamPCP with high confidence, noting a three‑stage attack that begins with credential harvesting and extends to lateral movement in Kubernetes via privileged pods, followed by a persistent systemd backdoor that regularly contacts a remote server for new payloads.
The payload includes stealing SSH keys, cloud credentials, Kubernetes secrets, wallets, and environment files, and the 1.82.8 release adds a .pth file to trigger the payload on every Python startup, even if LiteLLM isn’t used. This campaign, which involved over 95 million monthly downloads for LiteLLM, is tied to a broader TeamPCP operation that has previously targeted multiple ecosystems, including GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI.
Endor Labs notes that the malicious code resides in litellm/proxy/proxy_server.py, inserted during or after wheel build, and highlights the campaign’s three‑stage, encrypted data exfiltration and persistence mechanisms.