The Python Package Index (PyPI) was hacked, and a popular open-source Python library was affected This article explores python used compromised. . Security companies Endor Labs and JFrog found a complex backdoor in versions 1.82.7 and 1.82.8 of the package.

These versions route requests to different LLM providers and have over 95 million downloads each month. The bad code was put directly into the PyPI distribution, skipping the clean upstream GitHub repository. TeamPCP, a group that is known for going after high-level developer and security tools, is responsible for this supply chain attack. Learn more about computer security Services for responding to incidents Guide to hacker tools The infection chain depends on running malicious code that is hidden in real library functions.

Attackers put a 12-line base64-encoded payload into the litellm/proxy/proxy_server.py file in version 1.82.7.

This code runs without making any noise when a module is imported. Version 1.82.8 makes the threat worse by adding a litellm_init.pth file to the root of the wheel. This second vector makes sure that the payload runs as a background process whenever Python is used in the compromised environment because Python automatically processes .pth files in site-packages at startup.

This means that the payload will still run even if the developer's code never explicitly imports litellm. Versions of the affected package Injection of Package Name Version Publication Date Vector Status litellm 1.82.7 2026-03-24 proxy_server.py (at import time) Removed litellm 1.82.8 2026-03-24 proxy_server.py + litellm_init.pth (starting the interpreter) Note: The last version that was known to be clean is litellm 1.82.6. When run, the payload starts a three-stage attack sequence that is very aggressive.

The first orchestrator script unpacks a full credential harvester that is meant to systematically scan the host system. Find more SIM cards Course on ethical hacking News site that collects security news It goes after SSH keys, cloud provider tokens for AWS, GCP, and Azure, database credentials, and cryptocurrency wallets. The stolen secrets are encrypted with a combination of AES-256-CBC and RSA-4096 and put into an archive called tpcp.tar.gz.

Then, they are sent to a domain controlled by an attacker that pretends to be a real project resource. The malware tries to move laterally within Kubernetes environments in addition to stealing credentials. If the harvester finds a Kubernetes service account token, it quickly lists all the nodes in the cluster and uses host-level access to deploy privileged alpine containers to each node.

Finally, the malware gives itself permanent access by dropping a systemd user service that looks like a system telemetry process. This backdoor keeps checking in with a second command-and-control server to get and run more binaries. This breach is the latest step up in a huge supply chain campaign run by TeamPCP.

In the last month, the group has successfully hacked five different ecosystems, such as GitHub Actions, Docker Hub, npm, and OpenVSX. By going after tools that focus on infrastructure and security, like Aqua Security's Trivy and Checkmarx's KICS, the attackers make sure their payloads run in very privileged environments full of production secrets.

Important Signs of Compromise (IoCs) Indicator Type Description models.litellm.cloud C2 Domain Exfiltration endpoint for encrypted credential archives checkmarx.zone/raw C2 Endpoint Payload delivery domain for the persistent backdoor ~/.config/systemd/user/sysmon.service Filesystem Persistent systemd unit that hides the backdoor tpcp.tar.gz Archive Archive with the name "exfiltrated host data node-setup-* Kubernetes" Privileged attacker pods set up in the kube-system namespace Companies that use litellm should check their environments right away. If the compromised versions are found, security teams must treat the environment as fully breached and start a full credential rotation protocol., LinkedIn, and X for daily cybersecurity updates. Get in touch with us to have your stories featured.