A new report out today from cybersecurity company Forcepoint LLC’s X-Labs research team details a supply chain attack that compromised LiteLLM, a widely used open-source Python library that serves as a unified gateway to more than 100 large language model providers, turning two malicious releases of the package into a credential-stealing tool aimed at cloud and artificial intelligence environments.

The attack, attributed to a threat actor group tracked as TeamPCP, pushed malicious versions 1.82.7 and 1.82.8 of LiteLLM to the Python Package Index. The compromise did not stem from a breach of LiteLLM’s source code repository. Instead, the attackers reached the package through its build pipeline after first poisoning Trivy, a popular open-source vulnerability scanner used in LiteLLM’s continuous integration and deployment workflow.

According to Forcepoint, TeamPCP had previously taken over Trivy by spoofing legitimate maintainer identities and pushing impersonated commits, then triggered the project’s automated release pipeline to distribute backdoored binaries through GitHub Releases, Docker Hub and Amazon ECR. When LiteLLM’s continuous integration/continuous delivery job pulled the compromised Trivy build, the malicious binary scraped the runner’s memory and exfiltrated a PYPI_PUBLISH token. The attackers used the stolen credentials to publish their own LiteLLM releases directly to PyPI.

The two malicious versions used different injection techniques. Version 1.82.7 carried a Base64-encoded payload embedded inside proxy_server.py that executed when the LiteLLM proxy started. Version 1.82.8 took a stealthier approach, dropping a litelllm_init.pth file into site-packages so the payload ran at Python interpreter startup on every subsequent process, regardless of whether LiteLLM was ever explicitly imported. A standard “pip install” of the tainted release was enough to activate it.

Once active, the payload scanned environment variables and configuration files for cloud and AI service credentials. Targets included OpenAI Group PBC, Anthropic PBC and Microsoft Azure API keys, along with Amazon Web Services Inc., Google Cloud and Azure SDK credentials. The malware also pulled local kubeconfig files and AWS credential files from user home directories.

The collected data was encrypted with a 32-byte AES-256-CBC session key derived through PBKDF2, packed into a file named tpcp.tar.gz and exfiltrated over curl to a domain at models.litellm.cloud, an attacker-controlled lookalike of the legitimate LiteLLM domain.

Forcepoint says that the malware also installed a polling backdoor called Sysmon.py for persistence. The script sleeps for 300 seconds on first run, then checks a remote URL at checkmarx.zone every 50 minutes for fresh instructions, downloading any returned binary to /tmp/pglog and executing it as a background process.

“What makes this campaign uniquely dangerous for AI and ML teams is the nature of the target,” Prashant Kumar, senior researcher at Forcepoint X-Labs, wrote in the report. “LiteLLM functions as a unified gateway to major AI providers, meaning a single compromise gave attackers simultaneous access to OpenAI, Anthropic and Azure credentials. Losing one library effectively means losing access control across multiple connected AI providers at once.”

The compromise echoes a parallel investigation by Datadog Inc.’s Security Labs, which in March linked the same TeamPCP campaign to a second malicious PyPI publication targeting Telnyx Inc.’s Python software development kit.

Writing in a guest column for SiliconANGLE last week, Secure Code Warrior Ltd. Chief Technology Officer Matias Madou argued that the attack detailed by Datadog marked the first successful weaponization of security and developer infrastructure with elevated access privileges. AI middleware such as LiteLLM should now be treated as critical infrastructure in enterprise governance frameworks, he wrote.

Image: SiliconANGLE/Ideogram