LiteLLM's PyPI package was backdoored for under an hour on March 24. SSH keys, cloud credentials, and CI/CD secrets exfiltrated at install. Here is what is assessed to have happened.
Every machine that ran pip install litellm on March 24 was instructed to send its SSH keys, cloud credentials, Kubernetes configs, CI/CD secrets, and shell history to an attacker-controlled server. Not after clicking a link. Not after opening a document. At the point of package installation.
The backdoor was live for under an hour. It was only found because the attacker made a coding error. But LiteLLM was not where this started. By March 24, the group behind it had already spent five days working through the security toolchain that defends most enterprise software pipelines.
The threat actor, publicly tracked as TeamPCP, is assessed to have run a coordinated five-day supply chain campaign across at least five ecosystems: GitHub Actions, PyPI, npm, Docker Hub, and Open VSX. Based on researcher analysis of the campaign timeline and shared infrastructure, the technique appears to have been cascading compromise: credentials from one target used to reach the next.
On March 19, 75 of 76 version tags in Aqua Security’s aquasecurity/trivy-action repository were force-pushed with a malicious payload. Trivy is one of the most widely used open source vulnerability scanners. Every CI/CD pipeline running a pinned version of the action served the credential stealer to its runners. The payload is reported to have dumped Runner.Worker process memory, harvested SSH keys, cloud credentials, and Kubernetes secrets, encrypted the data with AES-256 and RSA-4096, and exfiltrated it to an attacker-controlled domain. Microsoft confirmed the compromise and published detection guidance on March 24.
By March 21, Checkmarx’s CI/CD infrastructure had also been compromised. Researchers at Sysdig assess that credentials harvested from Trivy pipelines were used to gain this access, based on observed timing and shared exfiltration infrastructure. On March 23, all 35 tags of Checkmarx/kics-github-action were hijacked in a four-hour window. Two Open VSX extensions were also trojanized: ast-results version 2.53.0 and cx-dev-assist version 1.7.0. Over 66 npm packages were reportedly compromised in the same campaign.
LiteLLM is assessed to have been the final link. The library uses Trivy in its own CI/CD pipeline. Based on analysis published by Datadog Security Labs, access through the compromised Trivy action is believed to have provided a path to LiteLLM’s PyPI maintainer credentials, leading to the publication of versions 1.82.7 and 1.82.8 containing a malicious .pth file.
Python executes .pth files automatically on every interpreter startup, without an import statement. Analysis of the file litellm_init.pth indicates a three-stage attack. Stage one harvested credentials: SSH keys, AWS, GCP, and Azure tokens, Kubernetes configs, git credentials, all environment variables, shell history, crypto wallets, SSL private keys, CI/CD secrets, and database passwords. Stage two appears to have attempted lateral movement across Kubernetes clusters by deploying privileged pods to every node. Stage three is reported to have installed a persistent systemd backdoor polling for additional binaries.
All exfiltrated data was sent to a spoofed domain: models.litellm.cloud.
LiteLLM has 97 million downloads per month and is a transitive dependency for DSPy, CrewAI, Browser-Use, Instructor, Guardrails, and dozens of other widely used AI packages. At the time of the compromise, installing any of them was sufficient to pull in the affected version.
The attack was discovered by Callum McMahon at FutureSearch. He was using an MCP plugin inside Cursor that pulled litellm as a dependency. When version 1.82.8 installed, his machine ran out of RAM and crashed. The .pth file spawned a child process that triggered itself recursively, creating a fork bomb. The bug made the attack visible. Without it, the attacker would have had a clean exfiltration channel with no user-visible symptoms.
What is observable in this campaign is that the targets were not applications. They were the infrastructure used to build, scan, and ship applications. Trivy and KICS are security tools. They exist to find vulnerabilities. In this instance, they appear to have been the entry point. The more trusted the tool, the more valuable a compromise of it becomes.
The cascading structure is the threat model worth studying. Based on current researcher assessments, a single stolen token from a Trivy pipeline provided access to Checkmarx, and from there the chain reached LiteLLM. If that assessment is accurate, each target expanded the credential pool for the next. This is not a single supply chain attack. It is a supply chain attack that appears designed to fund further supply chain attacks.
The credential density on any AI engineer’s machine right now is significant. API keys for a dozen model providers. Cloud credentials. Kubernetes configs. Database connection strings. All of it accumulates in .env files and shell history, available to any package that executes at interpreter startup. The targets in this campaign reflect that reality.
Audit your Python environments for exposure. Any machine that ran pip install against an affected package between March 19 and the removal window should be treated as potentially compromised. Rotate cloud keys, SSH keys, CI/CD tokens, database passwords, and API keys. Treat any CI/CD runner that used a pinned version of aquasecurity/trivy-action or Checkmarx/kics-github-action between March 19 and March 24 as having exposed its secrets.
Pin GitHub Actions to a full commit SHA, not a version tag. Tags are mutable. A tag can be force-pushed to point at a different commit with no warning. Pinning by SHA locks the action to a specific, immutable state.
Pin dependency versions in CI/CD and production. An unpinned dependency resolves to whatever is current at install time.
Audit your build pipeline for third-party integrations. Map what access each tool holds. Ask what a compromise of that tool exposes. Every GitHub Action, scanner, linter, and build dependency in your pipeline is a potential upstream target.
Restrict credential scope on CI/CD runners. In this campaign, the attacker collected everything present. Least-privilege on runners directly limits what a poisoned dependency or action can take.
Monitor for .pth files in Python environments. Legitimate packages use them rarely. Their auto-execution on every interpreter startup makes them an effective payload delivery mechanism with no import hook to detect.
Datadog Security Labs: LiteLLM compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign
Microsoft Security Blog: Guidance for detecting, investigating, and defending against the Trivy supply chain compromise
Sysdig: TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions
LiteLLM: Security Update on Suspected Supply Chain Incident
FutureSearch: Supply Chain Attack in litellm 1.82.8 on PyPI
The threat of cyber attack is constant. So are we. Schedule a call to discuss how to outpace cyber threats.