The threat actor TeamPCP has executed a sophisticated supply chain attack targeting LiteLLM, an open-source Python library integrated into approximately 36% of cloud environments. The attackers published malicious versions 1.82.7 and 1.82.8 on the Python Package Index (PyPI), embedding malware that exploits Python's .pth file mechanism. This mechanism allows code to be executed automatically whenever any Python process starts, enabling stealthy and persistent execution across environments using the compromised package. The malware is designed to harvest sensitive data including API keys, cloud service credentials, and continuous integration/continuous deployment (CI/CD) secrets. These stolen credentials are encrypted and exfiltrated to attacker-controlled domains such as checkmarx.zone and models.litellm.cloud, facilitating further compromise. This incident is part of a broader campaign by TeamPCP, which previously compromised other open-source security tools like Aqua Security's Trivy and Checkmarx, demonstrating a targeted effort against the open-source ecosystem. The attack leverages multiple tactics including supply chain compromise (T1195), persistence via .pth files (T1574.008), credential access (T1555), and data exfiltration (T1041). Although no confirmed exploits in the wild have been reported, the attack's sophistication and the widespread use of LiteLLM pose a significant threat to cloud security.

The impact of this supply chain attack is potentially severe for organizations using LiteLLM in their cloud environments. By compromising a widely used open-source library, attackers gain a stealthy foothold that can execute malicious code across any Python process, making detection difficult. The theft of API keys, cloud credentials, and CI/CD secrets can lead to unauthorized access to cloud resources, data breaches, and disruption of development pipelines. This can result in loss of sensitive data, intellectual property theft, service outages, and reputational damage. Given the integration of LiteLLM in 36% of cloud environments, the scope of affected systems is broad, increasing the risk of large-scale compromise. The attack also highlights the vulnerability of open-source supply chains, which are critical to modern software development and cloud infrastructure. Organizations may face regulatory and compliance consequences if sensitive data is exposed due to this compromise.

Organizations should immediately audit their use of LiteLLM, specifically checking for versions 1.82.7 and 1.82.8, and revert to known safe versions or remove the package if possible. Implement strict package integrity verification using cryptographic signatures or hashes before deployment. Employ runtime monitoring to detect unusual Python process behaviors, especially those involving .pth files or unexpected network connections to suspicious domains like checkmarx.zone or models.litellm.cloud. Rotate all potentially exposed credentials, including API keys and cloud secrets, and enforce least privilege access to limit damage from compromised credentials. Integrate supply chain security tools that scan dependencies for known malicious packages and anomalies. Enhance CI/CD pipeline security by restricting package sources and using allowlists. Educate developers and DevOps teams about supply chain risks and encourage vigilance when updating dependencies. Collaborate with open-source communities to report and remediate compromised packages promptly. Finally, implement network egress filtering to block unauthorized data exfiltration attempts to known malicious domains.