TeamPCP Compromised LiteLLM in AI Supply Chain Attack

Supply‑chain attacks have migrated from traditional software to the burgeoning AI ecosystem, where open‑source libraries act as critical bridges to dozens of large‑language‑model providers. By first compromising Trivy—a widely adopted vulnerability scanner embedded in CI/CD pipelines—TeamPCP gained access to privileged build‑time tokens. Those tokens were then used to upload tampered LiteLLM releases to PyPI without altering the upstream repository, illustrating how a single compromised tool can cascade into a broader ecosystem breach.

The malicious LiteLLM packages employed two distinct delivery mechanisms. Version 1.82.7 injected a Base64‑encoded payload directly into the proxy_server.py file, executing whenever the LiteLLM proxy started. Version 1.82.8 leveraged a stealthier .pth file placed in Python’s site‑packages, which runs automatically on interpreter startup, even if the library isn’t explicitly imported. Once active, the malware scanned for environment variables and configuration files, siphoning API keys for OpenAI, Anthropic, Azure AI, as well as cloud credentials for AWS, Google Cloud, and Azure, plus Kubernetes configs. Collected data were encrypted, archived, and exfiltrated to a command‑and‑control server, while a polling backdoor maintained persistence.

For organizations, the incident underscores the necessity of treating AI‑related dependencies as high‑risk assets. Implementing signed package verification, rigorous Software Composition Analysis, and strict least‑privilege token policies can curb unauthorized publishing. Continuous monitoring of PyPI feeds, anomaly detection in CI/CD token usage, and network segmentation of build runners further reduce exposure. As AI services become integral to enterprise workloads, adopting zero‑trust principles across development pipelines will be pivotal in defending against supply‑chain compromises that threaten both data integrity and operational continuity.