LiteLLM is foundational infrastructure for many AI-powered applications, providing access to a variety of different models from over 100 providers. On March 24, 2026, attackers linked to TeamPCP compromised LiteLLM, a widely used piece of infrastructure for AI-powered applications that provides access to models from more than 100 providers. The supply chain attack inserted infostealer malware into the library, which receives over 95 million downloads per month.
Inside the Attack
LiteLLM is a library that commonly acts as an interface between applications and various AI models. As a result, it has access to API keys, environment variables, and other information used to authenticate the application to the service and perform configuration.
Ironically, the LiteLLM attack began with an attack targeting Trivy, a security scanning tool used to identify threats like supply chain attacks. The attackers were able to rewrite Git tags within the trivy-action GitHub Action repo to point to release v0.69.4, which contained a credential-harvesting payload.
LiteLLM uses Trivy as part of its CI/CD pipeline. As a result, the introduction of the malicious version meant that LiteLLM’s PyPI publishing tokens were stolen and exfiltrated to the attacker via the credential-stealing malware in the malicious Trivy release.
With PyPI tokens, the attacker could push their own releases of LiteLLM to PyPI. The first release (v1.82.7) hid malware within the package’s proxy_server.py code, which was executed when litellm.proxy is imported by code. A second malicious version (v1.82.8) added litellm_init.pth to site-packages, which caused the malicious code to execute as soon as the Python interpreter is run.
The malware included in the package had three main components:
- Credential harvesting code looking for plaintext credentials within configuration files
- Kubernetes lateral movement that reads all cluster secrets and tries to load the host filesystem in an alpine:latest pod on every node if a Kubernetes service account token is present on the compromised machine
- Persistent backdoor located at ~/.config/sysmon/sysmon.py that creates a systemd user service and automatic polling for additional payloads
TeamPCP allegedly partnered with Lapsus$ to profit from the stolen data. The attack was discovered because a flaw in the malicious code created a fork bomb, where runaway processes caused a system crash.
Lessons Learned from the Attack
The LiteLLM hack is one of several supply chain attacks designed to expand the attacker’s access by stealing new credentials when infected packages are installed and run on developer systems. In fact, this incident was allegedly Phase 09 of an ongoing campaign by TeamPCP.
Often, these attacks target insecure credential storage, such as plaintext passwords stored in configuration files. Password security best practices, such as password vaults, short-lived tokens, credential rotation, and least privilege access, could help prevent credentials from being compromised or limit the impact. Additionally, developers should maintain visibility into their third-party dependencies and known breaches to ensure that compromised versions aren’t included in their applications.
Halborn’s AI security services help to identify and fix security flaws in AI-powered tools, helping organizations to implement security best practices and lock down CI/CD pipelines. Get in touch to find out more.