What Happened
TeamPCP, the threat actor behind supply chain compromises of Trivy and KICS earlier this month, injected malicious code into LiteLLM versions 1.82.7 and 1.82.8 on PyPI on March 24, 2026. The compromise traces back to a vulnerable Trivy component embedded in LiteLLM’s CI/CD security scanning pipeline — the same vector used in the earlier Trivy attack.
The malicious payload executes in three stages. First, a credential harvester sweeps the compromised environment for SSH keys, cloud provider credentials, Kubernetes secrets, cryptocurrency wallets, and .env files, then exfiltrates them to attacker-controlled infrastructure. Second, a Kubernetes lateral movement toolkit deploys privileged pods to every node in an affected cluster. Third, a persistent systemd backdoor establishes long-term access to the host system, surviving reboots and package removal.
The two compromised packages have been removed from PyPI. Users running LiteLLM Proxy via the official Docker image were not affected, as Docker deployments pin dependencies independently of PyPI.
Why This Matters for Canadian Organizations
LiteLLM is present in 36% of cloud environments. Canadian technology companies, AI developers, cloud-native teams, and organizations integrating large language models into their workflows are at risk if they ran pip-based installs of LiteLLM between March 24 and 25, 2026.
The attack targets the AI tooling supply chain — an area growing rapidly across Canadian industry, academic research, and government. Kubernetes environments face the highest risk given the lateral movement component. A compromised .env file exposes cloud API keys, database connection strings, and service credentials typically shared across an entire application stack — giving attackers broad access from a single harvested file.
This is the third confirmed supply chain attack by TeamPCP in March 2026. The pattern indicates an organized, ongoing campaign against developer and security tooling. Canadian organizations adopting open-source AI infrastructure face elevated supply chain risk in this environment.
What to Do
Audit pip install history for LiteLLM versions 1.82.7 and 1.82.8. If either version was installed, treat the affected environment as compromised and rotate all accessible credentials: cloud API keys, SSH keys, Kubernetes service accounts, and database passwords. Review systemd service definitions for unexpected entries. Audit Kubernetes pod deployments for privileged pods created after March 24. Pin LiteLLM and its dependencies to verified versions, and review all CI/CD pipeline dependencies for indirect exposure to Trivy or KICS.
Source: The Hacker News
