TEAMPCP has expanded its supply-chain campaign with a new PyPI compromise tied to the LiteLLM package, a widely used Python library with more than 95 million monthly downloads. The attacked LiteLLM versions were 1.82.7 and 1.82.8, uploaded on 24 March 2026, containing hidden credential-stealing malware designed to harvest credentials, move laterally across Kubernetes environments and install persistent backdoors; version 1.82.6 is still considered the last clean release.
Security researchers from Endor Labs said the malicious code ran automatically when certain package components were imported, and later updates could execute whenever any Python process started in an affected environment.
The malware operates in three stages, starting with a hidden payload embedded in package files, then collecting sensitive data such as SSH keys, cloud credentials (AWS, GCP and Azure), Kubernetes secrets, database credentials, environment files, cryptocurrency wallets, TLS/SSL private keys, and shell histories, before encrypting and transmitting it to attacker-controlled infrastructure.
Investigators attribute the incident to TeamPCP, noting a multi-stage campaign across GitHub Actions, Docker Hub, npm, OpenVSX and PyPI, with experts warning organisations that credentials were likely exposed and to rotate secrets and review systems for signs of compromise.