Major Supply Chain Attack Compromises LiteLLM Through Poisoned Security Scanner
Key Takeaways
- ▸TeamPCP exploited a prior compromise of Trivy security scanner to inject malicious code into LiteLLM's CI/CD pipeline, demonstrating how security tools themselves can become attack vectors
- ▸The malicious packages used Python .pth files as a persistence mechanism, bypassing traditional detection methods and executing on every Python interpreter startup
- ▸The three-hour window before detection highlights the critical need for rapid vulnerability disclosure and package monitoring, especially for widely-used dependencies with millions of daily downloads
Summary
On March 24, 2026, two malicious versions of the popular LiteLLM Python package (versions 1.82.7 and 1.82.8) were published to PyPI after threat actors known as TeamPCP compromised the maintainer's credentials. The attack originated from a poisoned version of Trivy, an open-source security scanner integrated into LiteLLM's CI/CD pipeline, which had been compromised five days earlier. The malicious packages remained available for approximately three hours before PyPI quarantined them, during which time they could have been downloaded by LiteLLM's 3.4 million daily users.
The compromise was discovered when security researcher Callum McMahon at FutureSearch experienced RAM exhaustion on his machine after installing a transitive dependency on litellm. Investigation revealed a 34,628-byte malicious file (litellm_init.pth) that was double base64-encoded and executed Python startup hooks. The payload inadvertently created a fork bomb due to recursive Python subprocess spawning triggered by the .pth mechanism on each interpreter startup. The attack represented a multi-stage supply chain compromise involving credential harvesting, encrypted exfiltration, and a persistent backdoor with Kubernetes worm capabilities.
- The attack chain started with Trivy on March 19, extended to Checkmarx KICS on March 23, and then targeted LiteLLM on March 24, indicating a coordinated campaign against multiple infrastructure and development tools
- LiteLLM maintainers successfully contained the breach by rotating all GitHub, Docker, and PyPI credentials and migrating to new identities
Editorial Opinion
This incident underscores a critical vulnerability in modern software supply chains: the tools we use to secure our infrastructure can become weapons against us. The fact that a security scanner like Trivy became the entry point for a sophisticated backdoor attack is particularly concerning and highlights the need for zero-trust approaches even within CI/CD environments. Organizations must implement strict version pinning, cryptographic verification of dependencies, and robust monitoring of transitive dependencies.
