The popular LiteLLM package on PyPI has been compromised in a TeamPCP-linked supply-chain attack, potentially exposing data from hundreds of thousands of devices. Security researchers at Endor Labs report that malicious versions 1.82.7 and 1.82.8 were uploaded with embedded infostealer code, affecting a library that sees millions of daily downloads and serves as a key interface for multiple large language model providers.
The attack is the latest in a series of incidents linked to TeamPCP, including the breach of the Trivy vulnerability scanner, a campaign targeting Kubernets clusters with Iran-focused malware, and the compromise of Checkmarx GitHub Actions
In the latest intrusion, the attackers inserted a hidden payload into LiteLLM’s codebase that executes automatically when the package is imported. A more advanced variant ensures persistence by leveraging Python’s startup mechanism, allowing the malware to run even when the library is not actively used.
Once activated, the malware deploys a credential-stealing toolkit capable of harvesting sensitive data such as SSH keys, cloud credentials, Kubernetes secrets, and cryptocurrency wallets. It also attempts to spread across Kubernetes environments and establishes long-term access through disguised system services. Stolen data is encrypted and sent to attacker-controlled infrastructure. According to reports, threat actors managed to exfiltrate data from nearly 500,000 infected devices, though some of it may be duplicates.
Both compromised versions have since been removed from PyPI, and a clean release has been restored. Organizations are recommended to audit their systems, rotate credentials, and investigate potential persistence mechanisms.