TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise

The world of Software Supply Chain security has faced another major crisis, hitting the artificial intelligence ecosystem directly. A hacking group known as TeamPCP, responsible for recent attacks on popular scanning tools such as Trivy and KICS, has expanded its operations to the LiteLLM library. This is an extremely popular Python package serving as a universal interface for integration with multiple Large Language Models (LLMs), such as OpenAI, Anthropic, or Google Vertex AI. The scale of the threat is significant because LiteLLM forms the foundation of many commercial and open-source AI applications, making it an ideal target for attackers seeking access to sensitive corporate data.

According to reports published by leading cybersecurity firms, including Endor Labs and JFrog, infected software versions appeared directly in the official repository. Attackers managed to smuggle malicious code into versions 1.82.7 and 1.82.8. The infection mechanism suggests this was not an accidental developer error, but a precisely planned CI/CD compromise operation, likely exploiting vulnerabilities in code publication automation processes that previously allowed the same group to strike Trivy.

TeamPCP's Arsenal Hidden in Python Packages

What distinguishes this attack from typical "typosquatting" campaigns is the level of sophistication of the malware embedded within LiteLLM. Researchers identified three main modules that make the infected versions 1.82.7 and 1.82.8 extremely dangerous for production environments. First, the code contains a credential harvester – a tool designed to automatically search for and steal API keys, passwords, and access tokens stored in server environment variables. In the context of a tool like LiteLLM, which inherently operates on keys for expensive AI models, the financial and operational risk is massive.

The second element is the Kubernetes lateral movement toolkit. This is a set of scripts allowing attackers to escalate privileges and move within Kubernetes clusters. Since modern LLM applications are almost always containerized and run in the cloud, the presence of such a tool suggests that TeamPCP aims to take over entire cloud infrastructures rather than just individual applications. The third, and perhaps most dangerous component, is a persistent backdoor, which guarantees hackers permanent access to the infected system, even after attempts to remove malicious files or restart services.

• Infected versions: LiteLLM 1.82.7 and 1.82.8.
• Main threats: Credential theft, Kubernetes escalation, persistent backdoor.
• Likely vector: Compromise of CI/CD pipelines (likely linked to the Trivy incident).
• Recommendation: Immediate update to versions free of malicious code or rollback to version 1.82.6.

The Mechanism of Compromise via CI/CD Pipelines

Technical analysis of the incident indicates that TeamPCP did not hack into LiteLLM developer accounts directly via phishing, but instead exploited weaknesses in the software build infrastructure. There are strong indications that the attack is a direct consequence of the earlier takeover of the Trivy tool. If LiteLLM developers used an infected version of Trivy to scan their code during the CI/CD process, a "poisoning the well" situation could have occurred. The malicious scanning tool, instead of protecting the code, injected a backdoor into it during the automated PyPI package building process.

This phenomenon demonstrates a new, terrifying era of cyberattacks where security tools become Trojan horses. Using Trivy – an industry standard in container and dependency scanning – to infect the LiteLLM library demonstrates how deep and complex the web of connections in modern software development is. Attackers no longer need to look for holes in the final product; they only need to take control of one link in the automation chain for their code to reach thousands of servers worldwide under the banner of a trusted publisher.

Responding to the Threat and Protecting AI Infrastructure

For organizations using LiteLLM, the situation requires an immediate response. Standard security procedures should include not only an audit of package versions in requirements.txt or pyproject.toml files but also a deep inspection of runtime environments. If your infrastructure used version 1.82.7 or 1.82.8, simply bumping the version to a safe one may not be enough, given the presence of a backdoor allowing for persistent attacker presence. It is necessary to rotate all API keys (OpenAI, Anthropic, AWS, Azure) and audit permissions within Kubernetes clusters for unauthorized service accounts.

In a broader context, the LiteLLM incident forces a redefinition of the approach to trust in the open-source ecosystem. Traditional VPNs and simple firewalls do not protect against malicious code that we download into our network ourselves. A solution gaining importance is moving toward the Zero Trust Network Access (ZTNA) model. Instead of trusting applications based on their origin, this model assumes that every interaction – even those inside a cluster between microservices – must be verified and isolated. Eliminating the possibility of lateral movement by directly connecting users and processes to specific applications, rather than giving them access to entire network segments, is crucial in the era of attacks like the one carried out by TeamPCP.

"Software supply chain security is no longer an optional add-on, but the foundation of survival for every technology company. The attack on LiteLLM shows that even the most trusted libraries can become an attack vector overnight."

The evolution of TeamPCP's methods indicates that the group perfectly understands the architecture of modern AI systems. Focusing on credential theft and Kubernetes cluster manipulation suggests that their goal is not merely vandalism, but systematic industrial espionage or laying the groundwork for mass ransomware attacks on cloud infrastructure. In the era of the AI arms race, where training data and models constitute a company's most valuable capital, protecting tools like LiteLLM becomes a top priority for Cybersecurity departments worldwide.

The aggressive pace of publishing new versions in open-source projects, while fostering innovation, creates gaps that TeamPCP can ruthlessly exploit. Organizations must begin using Software Composition Analysis (SCA) tools that operate in real-time and can detect anomalies in package behavior, rather than relying solely on databases of known vulnerabilities (CVE). Only through a rigorous approach to verifying every line of code entering the production environment can the risk of a repeat scenario – where a tool meant to facilitate AI work becomes the key to the corporate safe – be minimized.