Executive Summary
In March 2026, the threat actor known as TeamPCP executed a supply chain attack by compromising the Continuous Integration/Continuous Delivery (CI/CD) pipeline of the Trivy project. This breach enabled them to inject malicious code into the litellm Python package, specifically versions 1.82.7 and 1.82.8. The tampered versions included a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor, posing significant risks to developers and organizations utilizing these packages.
This incident underscores the escalating trend of sophisticated supply chain attacks targeting open-source ecosystems. It highlights the critical need for organizations to implement stringent security measures within their CI/CD pipelines and to conduct thorough integrity checks on third-party packages to mitigate potential threats.
Why This Matters Now
The TeamPCP attack exemplifies the growing sophistication of supply chain threats, emphasizing the urgency for organizations to fortify their CI/CD environments and scrutinize third-party dependencies to prevent similar compromises.
Attack Path Analysis
TeamPCP compromised the CI/CD pipeline of the litellm package, injecting malicious code into versions 1.82.7 and 1.82.8. Upon installation, the backdoor harvested sensitive credentials and deployed a Kubernetes lateral movement toolkit, enabling the attacker to escalate privileges and move laterally across the cluster. The malware established persistent command and control channels, exfiltrated harvested data, and maintained access for further exploitation.
Kill Chain Progression
Initial Compromise
Description
TeamPCP compromised the CI/CD pipeline of the litellm package, injecting malicious code into versions 1.82.7 and 1.82.8.
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Command and Scripting Interpreter: Python
Event Triggered Execution: Python Library Hijacking
Application Layer Protocol: Web Protocols
Obfuscated Files or Information
System Information Discovery
Credentials from Password Stores
Encrypted Channel: Symmetric Cryptography
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware components
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data Security
Control ID: Pillar 3: Data
NIS2 Directive – Supply Chain Security
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
High risk from TeamPCP's supply chain attack on LiteLLM Python package, compromising CI/CD pipelines and threatening software development infrastructure with credential harvesting and backdoors.
Information Technology/IT
Critical exposure through compromised Kubernetes environments and lateral movement toolkits, requiring immediate egress security controls and zero trust segmentation to prevent privilege escalation attacks.
Computer/Network Security
Significant impact as security tools like Trivy and KICS were compromised, undermining trust in security scanning infrastructure and requiring enhanced threat detection capabilities.
Banking/Mortgage
Severe compliance risk due to potential HIPAA, PCI DSS violations from credential harvesting and data exfiltration through compromised development tools in regulated environments.
Sources
- TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromisehttps://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.htmlVerified
- Threat Actors Exploit OpenVSX Aqua Trivy with Malicious AI Prompts to Hijack Local Coding Toolshttps://www.cryptika.com/threat-actors-exploit-openvsx-aqua-trivy-with-malicious-ai-prompts-to-hijack-local-coding-tools/Verified
- LiteLLM Vulnerable to Denial of Service (DoS) via Crafted HTTP Requesthttps://advisories.gitlab.com/pkg/pypi/litellm/CVE-2024-8984/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally within the Kubernetes cluster and exfiltrate sensitive data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial compromise may have been detected earlier, potentially limiting the attacker's ability to deploy malicious code.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges within the cluster could have been constrained, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement across the cluster would likely have been limited, reducing the potential for widespread compromise.
Control: Multicloud Visibility & Control
Mitigation: The establishment of persistent command and control channels may have been detected and disrupted, limiting the attacker's ability to maintain access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data could have been constrained, reducing the risk of data loss.
The attacker's ability to maintain persistent access would likely have been limited, reducing the potential for further exploitation.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
- Application Security
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of API keys, credentials, and sensitive code repositories.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within Kubernetes clusters.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect anomalous interactions and repeated malformed requests indicative of compromise.
- • Deploy Threat Detection & Anomaly Response mechanisms to identify and respond to covert tools and unauthorized remote access.
- • Regularly audit and secure CI/CD pipelines to prevent supply chain compromises and ensure the integrity of software releases.
