TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has extended its malicious campaign to a widely used Python package called litellm. The group pushed two manipulated versions of the package — 1.82.7 and 1.82.8 — each loaded with dangerous components including a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. Multiple security vendors, including Endor Labs and JFrog, have confirmed the compromise, raising serious concerns about the integrity of open-source software supply chains and the growing sophistication of this particular threat actor.
What the litellm Compromise Means for Software Security
The discovery adds to a troubling pattern tied to TeamPCP, a group that has demonstrated the ability to infiltrate popular open-source tools and inject malicious code before users or maintainers can detect the changes. The litellm package is widely adopted across development environments, making the scope of potential exposure considerable. Organizations relying on automated dependency management tools may have unknowingly pulled in the compromised versions without any immediate indication of a problem.
The Malicious Components Buried in the Affected Versions
Researchers at Endor Labs and JFrog found that litellm versions 1.82.7 and 1.82.8 contain three distinct malicious components working in coordination:
- Credential Harvester : Extracts sensitive authentication credentials from the host environment, potentially exposing API keys, tokens, and other access secrets.
- Kubernetes Lateral Movement Toolkit : Enables threat actors to move through Kubernetes environments once an initial foothold is established, significantly expanding the attack surface.
- Persistent Backdoor : Maintains unauthorized access to compromised systems even after the initial intrusion is detected or the malicious package is identified.
Each of these components serves a distinct function in a coordinated intrusion chain, suggesting that TeamPCP is operating with a clear and calculated objective rather than opportunistic targeting.
How Organizations Should Respond to This Threat
Any organization that has installed litellm should treat versions 1.82.7 and 1.82.8 as actively hostile and act without delay. The presence of a persistent backdoor means that simply removing the package may not be sufficient if the environment has already been compromised. A broader incident response process is warranted in those cases.
Concrete Steps to Protect Your Environment
- Audit all systems and pipelines for installations of litellm versions 1.82.7 and 1.82.8 and remove them immediately.
- Rotate any credentials, API keys, or tokens that may have been accessible to the compromised package during its runtime.
- Review Kubernetes cluster logs for signs of lateral movement or unusual access patterns that could indicate active exploitation.
- Implement runtime monitoring tools capable of flagging suspicious behavior tied to known indicators of compromise.
- Pin dependencies to verified, trusted versions and validate package integrity as part of standard build processes.
The litellm incident is a direct reminder that open-source packages — regardless of their popularity or perceived trustworthiness — remain a viable and increasingly targeted attack vector. Security teams should treat third-party dependencies with the same scrutiny applied to any other external access point within their infrastructure.
