Malicious LiteLLM versions linked to TeamPCP supply chain attack
| Source: Mastodon | Original article
Malicious versions of the popular Python library LiteLLM have been discovered on PyPI, confirming a new supply‑chain attack by the threat group known as TeamPCP. The compromised packages – LiteLLM 1.82.7 and 1.82.8 – were uploaded in early March and contain hidden code that opens a reverse shell and exfiltrates environment variables, including API keys for OpenAI, Anthropic and other large‑language‑model providers. The backdoor activates when the library is imported, a common step in CI/CD pipelines that automate LLM‑driven applications.
TeamPCP has already been linked to high‑profile compromises of security tools such as Aqua Security’s Trivy scanner and the KICS IaC analyzer. By targeting LiteLLM, the actors move from “security‑tool” abuse to the AI‑tooling stack itself, widening the attack surface for developers who rely on the library to interface with LLMs. Because LiteLLM is a thin wrapper used in countless open‑source projects and commercial services, the malicious code could propagate silently across a broad swathe of the Nordic AI ecosystem, where rapid prototyping and continuous deployment are the norm.
The incident underscores lingering weaknesses in the Python package ecosystem: mutable version tags, lack of mandatory package signing, and over‑reliance on static scanners that may miss deliberately obfuscated payloads. Security researchers advise immediate removal of the tainted releases, verification of any downstream dependencies, and rotation of all exposed credentials. Organizations should also consider reproducible builds and adopt PEP 458/480‑style signing mechanisms.
What to watch next: PyPI’s response, including whether the compromised uploads are permanently removed and replaced with signed releases; any disclosure of exploitation in the wild; and whether TeamPCP expands the campaign to other AI‑related packages such as LangChain or HuggingFace Transformers. The episode is likely to accelerate calls for stricter supply‑chain hygiene across the European and Nordic AI developer communities.
Sources
Back to AIPULSEN