TeamPCP Compromised LiteLLM in AI Supply Chain Attack | eSecurity Planet
Threats
SHARE
Facebook X Pinterest WhatsApp

TeamPCP Compromised LiteLLM in AI Supply Chain Attack

TeamPCP used malicious LiteLLM packages to steal AI and cloud credentials in a software supply chain attack.

Written By
Ken Underhill
Ken Underhill
May 26, 2026
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A supply chain attack targeting the open-source AI ecosystem shows how threat actors are increasingly abusing developer tools and AI infrastructure to steal credentials and compromise cloud environments. 

Researchers found that TeamPCP compromised LiteLLM, a widely used open-source Python library that connects applications to more than 100 LLM providers through OpenAI-compatible APIs.  

The attack reportedly used malicious LiteLLM packages to steal credentials tied to AI platforms, cloud services, Kubernetes environments, and developer pipelines. 

Key Takeaways of the TeamPCP Investigation

  • TeamPCP compromised LiteLLM through a software supply chain attack targeting AI development infrastructure.
  • The attackers first poisoned Trivy to steal CI/CD pipeline tokens and publish malicious LiteLLM packages to PyPI.
  • Malicious LiteLLM versions used source injection and stealthy .pth file execution techniques for persistence.
  • The malware targeted credentials tied to OpenAI, Anthropic, Azure, AWS, Kubernetes, and developer environments.
  • The incident highlights growing risks across AI ecosystems, CI/CD pipelines, and trusted open-source dependencies.

Attack Began with a Trivy Compromise

According to the analysis, the compromise began before LiteLLM itself was targeted. 

TeamPCP first compromised Trivy, a vulnerability scanner integrated into many CI/CD pipelines. 

The attackers reportedly used spoofed maintainer identities and impersonated commits to poison the Trivy repository, distributing malicious binaries through GitHub Releases, Docker Hub, and Amazon ECR. 

Because LiteLLM used Trivy within its CI/CD pipeline, the compromised scanner was able to scrape sensitive tokens from the build environment. 

Researchers said the malware extracted LiteLLM’s PYPI_PUBLISH token directly from CI/CD runner memory, allowing the attackers to publish malicious LiteLLM packages without compromising the official source code repository itself.

Using the stolen credentials, TeamPCP pushed malicious LiteLLM versions to PyPI.

Advertisement

Two Different Malware Injection Methods

The attackers used different malware delivery techniques in each malicious package version.

LiteLLM version 1.82.7 reportedly used direct source injection by embedding a Base64-encoded payload into the proxy_server.py file, which executed when the LiteLLM proxy service started.

Version 1.82.8 used a stealthier persistence technique involving a malicious .pth file named litelllm_init.pth placed inside Python’s site-packages directory. 

Because .pth files execute automatically during Python interpreter startup, the malware could run even if LiteLLM was never explicitly imported by the application.

Researchers noted that a simple installation of LiteLLM 1.82.8 activated the payload across subsequent Python processes on the affected host.

Credential Theft and Persistence

The malware focused heavily on credential harvesting and persistence. 

According to the analysis, the payload scanned systems for environment variables and configuration files associated with major AI providers and cloud services.

Targeted credentials reportedly included API keys for OpenAI, Anthropic, and Azure AI services, as well as cloud credentials tied to AWS, Google Cloud, and Microsoft Azure environments. 

The malware also attempted to extract local configuration files such as Kubernetes configurations and AWS credential files stored within user home directories.

After collecting data, the malware encrypted the information before packaging the data into a compressed archive for exfiltration. 

The data was then transmitted to a remote attacker-controlled domain associated with the campaign.

The malware also established persistence using a polling-based remote code execution backdoor that periodically contacted a secondary command-and-control endpoint for additional payloads and execution instructions.

Advertisement

How Organizations Can Reduce AI Supply Chain Risk 

As software supply chain attacks continue affecting developer tools and AI ecosystems, organizations are placing greater focus on securing build pipelines and dependency workflows. 

Security teams should prioritize reducing credential exposure, validating package integrity, improving visibility into developer activity, and preparing for potential supply chain incidents. 

  • Monitor CI/CD pipelines, package repositories, and developer environments for unauthorized package changes, suspicious publishing activity, and anomalous authentication behavior.
  • Restrict access to publishing tokens, API keys, and cloud credentials while enforcing least privilege and MFA across developer and build systems.
  • Validate package integrity using signed releases, checksum verification, dependency scanning, and Software Composition Analysis (SCA) tools before deployment.
  • Segment build environments and limit unnecessary outbound connectivity from CI/CD runners to reduce credential exposure and lateral movement risks.
  • Continuously monitor Python packages, AI libraries, and open-source dependencies for malicious updates, typosquatting, and unexpected installation behavior.
  • Strengthen endpoint visibility and behavioral detection capabilities to identify credential theft, persistence mechanisms, and suspicious Python interpreter activity.
  • Regularly test incident response, containment, and recovery plans involving software supply chain compromises, malicious packages, and CI/CD pipeline breaches.

Collectively, these steps can help organizations reduce software supply chain exposure and strengthen operational resilience. 

AI Infrastructure Becomes a New Target

The LiteLLM compromise highlights the growing risks facing AI infrastructure and software supply chains as attackers increasingly target trusted developer tools and CI/CD environments. 

Because LiteLLM serves as a gateway to multiple AI providers, a single compromise potentially exposes credentials tied to OpenAI, Anthropic, Azure, and other connected services. 

The incident also shows how attackers can abuse trusted relationships within software pipelines, using an earlier compromise of Trivy to distribute malicious packages through legitimate repositories and downstream development environments. 

As organizations look to reduce risks across AI development pipelines and trusted software ecosystems, they are adopting zero trust strategies to help strengthen access controls, segmentation, and identity security.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

facebook
linkedin
x

Company

About us Contact us Advertise with us

Categories

Best Products Resources Networks Cloud Threats Trends Endpoint Applications Compliance

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information