TeamPCP's 2026 Supply Chain Attack on LiteLLM: A Wake-Up Call for Open-Source Security
Executive Summary
In March 2026, the threat group TeamPCP executed a sophisticated supply chain attack targeting LiteLLM, a widely used Python package facilitating unified access to various large language models. By compromising LiteLLM's PyPI repository credentials—initially obtained through a prior breach of the Trivy security scanner—TeamPCP published malicious versions 1.82.7 and 1.82.8. These versions contained malware designed to harvest sensitive credentials, including SSH keys, cloud access tokens, and Kubernetes secrets, and to establish persistent backdoors within affected systems. The compromised packages were available for approximately three hours before removal, during which they were downloaded extensively, potentially impacting thousands of systems. This incident underscores the escalating threat posed by supply chain attacks, particularly those targeting widely adopted open-source tools integral to AI and cloud infrastructures. The rapid propagation and depth of access achieved by TeamPCP highlight the critical need for organizations to implement stringent security measures within their software development pipelines and to maintain vigilant monitoring of third-party dependencies.
Why This Matters Now
The LiteLLM supply chain attack exemplifies the growing sophistication and prevalence of threats targeting open-source software integral to AI and cloud infrastructures. Organizations must prioritize securing their software supply chains to prevent similar breaches.
Attack Path Analysis
TeamPCP compromised the LiteLLM Python package, injecting malware that harvested credentials from developer machines upon installation. These stolen credentials enabled the attackers to escalate privileges within cloud environments, facilitating lateral movement across Kubernetes clusters. The malware established command and control channels to exfiltrate sensitive data, leading to significant data breaches and operational disruptions.
Kill Chain Progression
Initial Compromise
Description
TeamPCP compromised the LiteLLM Python package by injecting malicious code into versions 1.82.7 and 1.82.8, which were then distributed via PyPI.
Related CVEs
CVE-2026-33634
CVSS 8.8Malicious code injection in Trivy GitHub Actions and Docker images allows unauthorized credential harvesting and remote code execution.
Affected Products:
Aqua Security Trivy – All versions prior to March 19, 2026
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Compromise Software Dependencies and Development Tools
Credentials from Password Stores
File and Directory Discovery
OS Credential Dumping
Valid Accounts
Obfuscated Files or Information
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Developer workstations storing cached credentials create prime supply chain attack targets, enabling lateral movement and data exfiltration across software development lifecycles.
Information Technology/IT
IT infrastructure faces credential vault exploitation through compromised developer machines, requiring enhanced zero trust segmentation and egress security policy enforcement.
Financial Services
High-value financial systems accessed via developer credentials face regulatory compliance violations and data exfiltration risks through compromised workstation credential caching.
Health Care / Life Sciences
Healthcare developer environments storing HIPAA-protected data credentials enable threat actors to bypass encryption controls and achieve unauthorized patient data access.
Sources
- How LiteLLM Turned Developer Machines Into Credential Vaults for Attackershttps://thehackernews.com/2026/04/how-litellm-turned-developer-machines.htmlVerified
- When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Campaignhttps://www.sans.org/blog/when-security-scanner-became-weapon-inside-teampcp-supply-chain-campaignVerified
- Supply chain attack via the Trivy and LiteLLMhttps://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/Verified
- LiteLLM PyPI packages compromised in expanding TeamPCP supply chain attackshttps://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the malware's ability to communicate with command and control servers, reducing the scope of the initial compromise.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have limited the malware's ability to escalate privileges by restricting access to sensitive resources.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have constrained the attacker's lateral movement by enforcing strict communication policies between workloads.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control may have limited the establishment of command and control channels by providing real-time monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely have constrained data exfiltration by enforcing strict outbound traffic policies.
The implementation of CNSF controls may have reduced the overall impact by limiting the attacker's ability to access and exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
- Cloud Infrastructure Management
Estimated downtime: 7 days
Estimated loss: $500,000
Exposure of sensitive credentials including SSH keys, cloud access tokens, Kubernetes configurations, and API keys.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within cloud environments.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, preventing unauthorized lateral movement.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud platforms.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Regularly audit and rotate credentials, and implement secure storage practices to minimize the risk of credential theft.
