TeamPCP, the group that hacked Trivy and KICS, has now hacked a popular Python package called litellm This article explores trivy kics hacked. . They did this by releasing two bad versions that included a credential harvester, a Kubernetes lateral movement toolkit, and a backdoor that stays open.

Several security companies, such as Endor Labs and JFrog, said that litellm versions 1.82.7 and 1.82.8 were released on March 24, 2026. This is probably because the package uses Trivy in their CI/CD workflow. The backdoored versions have been taken down from PyPI.

According to Endor Labs researcher Kiran Raj, "The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling 'checkmarx[. ]zone/raw' for additional binaries." As seen in other cases, the stolen data is sent to a command-and-control domain called "models.litellm[.

]cloud" as an encrypted archive called "tpcp.tar.gz" through an HTTPS POST request.

"This is a long-term operation that focuses on high-leverage points in the software supply chain." In a message on their Telegram channel, TeamPCP said, "These companies were built to protect your supply chains, but they can't even protect their own. The state of modern security research is a joke.

As a result, we're going to be around for a long time stealing terrabytes [sic] of trade secrets with our new partners." "The snowball effect from this will be huge. We are already working with other teams to keep the chaos going. Many of your favorite security tools and open-source projects will be targeted in the coming months, so stay tuned," the threat actor said.

Users are told to do the following things to stop the threat: check all environments for litellm versions 1.82.7 or 1.82.8, and if they find them, go back to a clean version. Separate the affected hosts Look for rogue pods in Kubernetes clusters. Look through network logs for traffic going out to "models.litellm[.

]cloud" and "checkmarx[.]zone." Take away the ways that things stay the same Check CI/CD pipelines to see if tools like Trivy and KICS were used during the compromise windows. Change and revoke all credentials that are open Gal Nagli, who is in charge of threat exposure at Google-owned Wiz, said in a post on X that "the open source supply chain is collapsing in on itself."

"Trivy gets hacked, then LiteLLM gets hacked, and then the hacker gets the credentials from tens of thousands of environments. These credentials then lead to the next hack." "We're stuck in a loop."