3.4M Daily Download Supply Chain Attack Exposes Critical Gap in Python Dependency Security

Summary

A coordinated supply chain attack by threat group TeamPCP compromised litellm, one of the most widely-used AI tooling packages in the Python ecosystem with 3.4 million daily downloads, by injecting malicious .pth files that silently execute credential-stealing payloads at Python startup. The attack exploited a critical vulnerability in how Python processes site-packages files and went undetected for 3 hours before removal—a window during which standard security tools like Dependabot, Snyk, and pip audit proved inadequate, as they operate with 24-48 hour detection lags.

The attack was part of a larger coordinated campaign that used stolen credentials from an initial Trivy compromise to escalate the litellm attack, exfiltrating SSH keys, AWS/GCP tokens, cryptocurrency wallets, and authentication credentials from affected CI/CD pipelines and developer machines. The incident highlights a critical blind spot in AI development workflows, where AI coding agents (Cursor, Claude Code, Codex) automatically install dependencies without verifying whether package versions have been compromised. In response, a new security tool called CodeGuard Pro was developed to provide pre-install verification before pip execution, including detection of malicious .pth files, typosquatting, known-compromised versions, and secret exfiltration patterns.

• Pre-install security scanning (before pip execution) and real-time threat feeds are necessary to defend against sub-day attack windows in the modern supply chain attack landscape