TEAMPCP , the threat actor behind the Trivy and KICS compromises, has now infected a popular Python package named litellm, pushing two malicious versions that carry a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. Endor Labs reported that litellm versions 1.82.7 and 1.82.8 were published on 24 March 2026, likely due to the project’s use of Trivy in its CI/CD workflow, and both backdoored versions have since been removed from PyPI.
The payload unfolds as a three‑stage attack: a credential harvester sweeps SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets and .env files; a Kubernetes lateral movement toolkit deploys privileged pods to every node; and a persistent systemd backdoor (sysmon[.]service) polls checkmarx[.]zone/raw for additional binaries.
In 1.82.7 the malicious code sits in litellm/proxy/proxy_server.py and executes on import, while 1.82.8 adds a malicious litellm_init.pth at the wheel root to run on every Python process startup. Exfiltrated data is encrypted in tpcp.tar[.]gz and sent to models.litellm[.]cloud via HTTPS POST. According to Endor Labs, this campaign escalates from CI/CD runners to production environments, expanding across ecosystems such as PyPI and Kubernetes.