TeamPCP, a group that has been linked to high-impact supply chain attacks in the past, has hacked the popular Python library litellm on PyPI. This affects a package that gets over 95 million downloads a month. After earlier breaches involving Aqua Security's Trivy and Checkmarx's KICS tools, this incident is another step up in the group's campaign against developer and security ecosystems.

Malicious Package Injection on PyPI Security researchers found that litellm versions 1.82.7 and 1.82.8, which were released on March 24, 2026, had malware hidden inside them. The library, which is often used to unify API calls from many different large language model (LLM) providers, became a good way to get into developer environments. In version 1.82.7, attackers put a 12-line obfuscated base64 payload into the proxy_server.py file.

The code decoded itself, wrote to a temporary file, and ran through a subprocess instead of using easily detectable functions like exec(). This made it hard for static analysis tools to find it. As soon as the library was imported, the payload went off.

Version 1.82.8 added a more sneaky way to use a malicious .pth file (litellm_init.pth). When the Python interpreter starts up, it automatically runs .pth files. This lets the malware run silently in the background whenever any Python script runs, even if litellm is never directly imported. The malware works by using a structured three-stage payload that is meant to stay on the system, steal credentials, and move laterally.

Stage one is the one who makes everything happen. It decrypts hidden scripts, gathers private information, encrypts it with AES-256-CBC and RSA-4096, and puts it all in a file called tpcp.tar.gz.

Then, the attacker takes the archive and puts it on infrastructure they control, making it look like a real domain, models.litellm.cloud. In stage two, the focus is on gathering and expanding credentials. The malware looks for SSH keys, cloud credentials (AWS, Azure, GCP), CI/CD secrets, .env files, and cryptocurrency wallets on infected systems.

It has AWS SigV4 request signing, which lets you interact directly with AWS Secrets Manager. If a Kubernetes service account token is found, the malware installs privileged pods all over the cluster and mounts host filesystems to take full control. Stage three makes things last. A systemd user service called "System Telemetry Service" is set up and pretends to be a PostgreSQL process by using the name "/tmp/pglog."

Every 50 minutes, the backdoor talks to command-and-control servers. It checks a local state file and even has a "youtube.com" kill switch to avoid being found during analysis. Companies should see this as a serious breach of the supply chain and check their environments right away to see if they are at risk.

The versions that are affected are litellm 1.82.7 and 1.82.8, which have been taken off of PyPI. Safe version: Go back to 1.82.6. Models.litellm.cloud and checkmarx.zone are domains that look suspicious. The following files are harmful: ~/.config/sysmon/sysmon.py and ~/.config/systemd/user/sysmon.service.

Artifacts: tpcp.tar.gz files in temporary directories that you didn't expect. Endor Labs says that the attackers released version 1.82.8 just 13 minutes after 1.82.7. This shows that their malware is being actively updated in real time. This campaign is part of TeamPCP's larger plan to go after developer tools that are trusted to steal credentials and move between ecosystems, such as GitHub Actions, Docker Hub, npm, OpenVSX, and now PyPI.

This attack's size and complexity show how open-source supply chains are becoming more dangerous. A single compromised dependency can spread to millions of systems. Make ZeroOwl your preferred source in Google