How TeamPCP Turned LiteLLM into a Credential Harvesting Tool

Supply chain attacks are on the rise again. This time they're using artificial intelligence modules to exfiltrate sensitive data. Since our post that featured an AI kill chain simulation, we observed a new supply chain attack on a widely used open-source Python library known as LiteLLM. It is an open-source AI gateway that provides a single, unified interface to call 100+ LLM providers through OpenAI.

In this incident, the threat actor group known as TeamPCP compromised LiteLLM by inserting infostealer malware directly into the library. I'll analyze the attack to show how it occurred, and how the hackers exfiltrated data from cloud environments, AI services and developer pipelines.

The attack chain below shows how this attack was carried out.

Fig. 1: Attack chain

The Precursor to the LiteLLM Attack

Prior to the attack on LiteLLM, TeamPCP compromised Trivy, a popular vulnerability scanner. The hackers made impersonated commits and spoofed legitimate maintainer identities to gain access. After the compromise, GitHub was poisoned by pushing a malicious version to the Trivy repository, which triggered an automated release pipeline, distributing backdoored binaries to GitHub Releases, Docker Hub and Amazon ECR.

LiteLLM Attack Initialization

LiteLLM's CI/CD pipeline used Trivy as part of its build process. Because TeamPCP had already poisoned Trivy, the compromised binary scraped the CI/CD runner's memory and exfiltrated the PYPI_PUBLISH token.

With the stolen PYPI_PUBLISH tokens, attackers pushed malicious versions of LiteLLM 1.82.7 and 1.82.8, bypassing LiteLLM's actual source code repository.

Malicious Versions of LiteLLM

Both malicious versions used two different injection techniques:

Version 1.82.7 carried out source injection, where the payload was Base64-encoded and directly injected into proxy_server.py. It executes when the LiteLLM proxy starts.

Fig. 2: Version 1.82.7
 

Version 1.82.8 carried out .pth file injection. This version added litelllm_init.pth to site-packages/, executing at Python interpreter startup with no import required — making it stealthier with broader impact. A simple pip install LiteLLM==1.82.8 activated the payload on every subsequent Python process.

 
Fig. 3: Version 1.82.8
 

When these LiteLLM packages execute, they trigger a credential-stealing payload.

Analyzing a Three-Staged Payload

While analyzing impacted versions and decoding Base64, we observed multiple payloads focused on data collection, exfiltration and persistence.

1. Data collection

 
Fig. 4: Information and data collection

 

As shown above, the script immediately scans for environment variables and configuration files associated with cloud providers and AI services, which includes:

• AI provider keys: OpenAI, Anthropic and Azure secrets stored in ENV variables
• Cloud metadata: AWS/GCP/Azure credentials used by the SDKs
• Local files: Extraction of ~/.kube/config and ~/.aws/credentials from the /home directory

2. Encryption and exfiltration

After data is collected, it is encrypted and exfiltrated. Figure 5 details the procedure:

• A 32-byte AES session key is generated
• Data is encrypted using AES-256-CBC (PBKDF2)
• Everything is saved in tpcp.tar[.]gz
• Data is exfiltrated to hxxps[:]//models[.]litellm[.]cloud/ via curl

Fig. 5: Encryption and exfiltration
 

3. Persistence

Persistence is achieved by installing a Sysmon.py using the PERSIST_B64 payload, which implements a polling-based remote code execution backdoor. The script runs with a sleep timer of 300 seconds on first start, then checks hxxps[://]checkmarx[.]zone/raw every 50 minutes (3,000 seconds). It expects a URL starting with "http" in the response, downloads the file to /tmp/pglog, makes it executable and runs it as a background process.

Fig. 6: Persistence
 

AI Infrastructure Becomes a New Supply Chain Target

The LiteLLM compromise is a case study in how AI infrastructure is becoming the next frontier for supply chain attacks. The threat actor group TeamPCP poisoned LiteLLM's CI/CD pipeline to push two malicious versions of the package, each using a distinct delivery mechanism.

Version 1.82.7 injected a payload directly into proxy_server.py, triggering execution when the LiteLLM proxy starts. Version 1.82.8 took a stealthier approach, dropping a .pth file into site-packages that caused the malware to execute on every Python process initialized on the host, regardless of whether LiteLLM was ever explicitly imported.

What makes this campaign uniquely dangerous for AI and ML teams is the nature of the target. LiteLLM functions as a unified gateway to major AI providers, meaning a single compromise gave attackers simultaneous access to OpenAI, Anthropic and Azure credentials. Losing one library effectively means losing access control across multiple connected AI providers at once.

Protection Statement

• Stage 4 (Exploit Kit): The credential harvesting URL domain is categorized.
• Stage 5 (Dropper File): Hashes of the malicious PyPI versions have been added to our blocklist.

IOCs