A widely used Python package with more than 95 million monthly downloads has been compromised with credential-stealing malware, expanding the ongoing supply chain campaign linked to the TeamPCP threat group.
The newly discovered compromise affects the LiteLLM package on PyPI and follows earlier incidents involving the Trivy vulnerability scanner and malicious Docker images distributed through Docker Hub.
The compromised LiteLLM versions, 1.82.7 and 1.82.8, were uploaded on March 24, 2026, and contained hidden malware designed to harvest credentials, move laterally across Kubernetes environments and install persistent backdoors. Both malicious versions have since been removed from PyPI, and version 1.82.6 is currently considered the last clean release.
Security researchers from Endor Labs said the malicious code executed automatically when certain package components were imported, while the later version introduced a more aggressive mechanism that executed whenever any Python process started in an affected environment. This meant the malware could run silently in the background even if the package was not actively used.
Malware Designed For Credential Theft and Persistence
Analysis by Jfrog researchers showed the malware operated in three stages, beginning with a hidden payload embedded inside package files. Once triggered, the malware collected sensitive information from the system and attempted to spread across Kubernetes clusters before installing a persistent system service backdoor.
The malware collected a wide range of sensitive data, including:
-
SSH keys and configuration files
-
Cloud credentials from AWS, GCP and Azure
-
Kubernetes secrets and configuration files
-
Database credentials and environment files
-
Cryptocurrency wallets
-
TLS and SSL private keys
-
Shell histories and system authentication files
Read more on software supply chain attacks: Precision Becomes the New Playbook for Software Supply Chain Attacks
The stolen data was encrypted and transmitted to attacker-controlled infrastructure, making detection more difficult and allowing attackers to access compromised environments later through persistent backdoors.
Linked to Ongoing TeamPCP Supply Chain Attacks
Researchers attributed the compromise to TeamPCP, the same threat group linked to the aforementioned Trivy compromise and subsequent malicious Docker images.
The group has been observed running a multi-stage supply chain campaign across several developer ecosystems, including GitHub Actions, Docker Hub, npm, OpenVSX and PyPI.
“Given the volume of stolen credentials across likely thousands of downstream environments, expect an increase in breach disclosures, follow-on intrusions, and extortion attempts in the coming weeks,” Brett Leatherman, FBI Assistant Director of Cyber Division wrote on LinkedIn earlier today.
Investigators believe the attackers are deliberately targeting developer and security tools because they often run with elevated privileges and have access to sensitive credentials and infrastructure.
Security experts warned that organizations that installed the affected LiteLLM versions should assume credentials were exposed and rotate all secrets and review systems for signs of compromise.
