How TeamPCP Turned LiteLLM into a Credential Harvesting Tool 

By Prashant Kumar, X-Labs Senior Researcher

Supply chain attacks are on the rise again. This time they’re using artificial intelligence modules to exfiltrate sensitive data. Since our post that featured an AI kill chain simulation, we observed a new supply chain attack on a widely used open-source Python library known as LiteLLM. It is an open-source AI gateway that provides a single, unified interface to call 100+ LLM providers through OpenAI.

In this incident, the threat actor group known as TeamPCP compromised LiteLLM by inserting infostealer malware directly into the library. I’ll analyze the attack to show how it occurred, and how the hackers exfiltrated data from cloud environments, AI services and developer pipelines.

The attack chain below shows how this attack was carried out.

The Precursor to the LiteLLM Attack

Prior to attack on LiteLLM, TeamPCP compromised Trivy, a popular vulnerability scanner. The hackers made impersonated commits and also spoofed legitimate maintained identities to gain access. After the compromise, GitHub was poisoned by pushing a malicious version to the Trivy repository which triggered an automated release pipeline, thus distributing backdoored binaries to GitHub Releases, Docker HUB and Amazon ECR.

LiteLLM Attack Initialization

LiteLLM’s CI/CD pipeline used Trivy as part of its build process. Because TeamPCP had already poisoned Trivy, the compromised binary scraped the CI/CD runner’s memory and exfiltrated the PYPI_PUBLISH token. 

With the stolen PYPI_PUBLISH tokens, attackers pushed malicious versions of LiteLLM 1.82.7 and 1.82.8 which bypassed LiteLLM’s actual source code repository.

Malicious Versions of LiteLLM

Both malicious versions mentioned above used two different injection techniques:

Version 1.82.7 carried out source injection, where payload was Base64 and directly injected into proxy_server.py and executes when the LiteLLM proxy starts.

Fig. 2 – Version 1.82.7

Version 1.82.8 carried out .pth file injection. This version added litelllm_init.pth to site-packages/, executes at Python interpreter startup with no import required which is stealthier and have broader impact. A simple “pip install LiteLLM==1.82.8” activated the payload on every subsequent Python process.

Fig. 3 – Version 1.82.8

When these LiteLLM packages are executed, it triggers a credential-stealing payload. 

Analyzing a Three-staged Payload

While analysing impacted versions and decoding Base64, we observed multiple payloads that focus on data collection, exfiltration and persistence.

1. Data collection:

Fig. 4 –  Information & Data Collection

The figure above shows, the script on execution immediately scans for environment variables and configuration files associated with cloud providers and AI services which includes:

• AI Provider Keys: OpenAI, Anthropic, and Azure secrets stored in ENV variables.
• Cloud metadata: AWS/GCP/Azure credentials used by the SDKs.
• Local files: Extraction of \.kube\/config and \.aws\/credentials from /home directory

2. Encryption and Exfiltration

After data is collected it is encrypted and exfiltrated. Figure 5 details the procedure

• A 32-byte AES session key is generated
• Data is encrypted using AES-256-CBC (PBKDF2)
• Everything is saved in tpcp.tar[.]gz
• Data exfiltrated to hxxps[:]//models[.]litellm[.]cloud/ via curl

Fig. 5 – Encryption and Exfiltration

3. Persistence

The persistence is achieved by installing a Sysmon.py using PERSIST_B64 payload which implements a polling-based remote code execution backdoor. The script has a sleep timer of 300 seconds on first start then checks “hxxps[://]checkmarx[.]zone/raw” every 50 minutes (3,0000 seconds) and expects URL starting with “http” in response and downloads to the file to “\/tmp\/pglog” making in executable and running as a background process. 

Here’s the whole persistence mechanism:

Fig. 6 – Persistence

AI Infrastructure Becomes a New Supply Chain Target

The LiteLLM compromise is a case study in how AI infrastructure is becoming the next frontier for supply chain attacks. The threat actor group TeamPCP poisoned LiteLLM’s CI/CD pipeline to push two malicious versions of the package, each using a distinct delivery mechanism. 

Version 1.82.7 injected a payload directly into proxy_server.py, triggering execution when the LiteLLM proxy starts. Version 1.82.8 took a stealthier approach, dropping a .pth file into site-packages that caused the malware to execute on every Python process initialized on the host, regardless of whether LiteLLM was ever explicitly imported.

What makes this campaign uniquely dangerous for AI and ML teams is the nature of the target. LiteLLM functions as a unified gateway to major AI providers, meaning a single compromise gave attackers simultaneous access to OpenAI, Anthropic and Azure credentials. Losing one library effectively means losing access control across multiple connected AI providers at once.

Protection Statement

• Stage 4: (Exploit Kit) – Credential harvesting URL domain is categorized.
• Stage 5: (Dropper File) – Hashes of Malicious version of PyPI is added to our blocklist.

IOCs