Originally reported by Wiz Blog
TL;DR
TeamPCP threat actors compromised the popular LiteLLM Python package, injecting malware into versions 1.82.7 and 1.82.8 that steals cloud credentials and secrets. The attack uses Python's .pth mechanism for stealthy persistence across package installations.
Active supply chain attack targeting widely-used AI infrastructure package with credential exfiltration capabilities and novel persistence mechanism.
Wiz researchers have identified the latest victim in TeamPCP's ongoing supply chain campaign: LiteLLM, a popular Python package for interfacing with large language model APIs. The threat actors successfully compromised versions 1.82.7 and 1.82.8 of the package, implementing a sophisticated credential harvesting operation.
The malicious versions abuse Python's .pth file mechanism to achieve persistence. This technique allows the malware to execute code automatically whenever Python imports packages, creating a stealthy foothold that survives package updates and system reboots.
The trojanized LiteLLM package specifically targets:
Exfiltrated data is transmitted to attacker-controlled domains, enabling potential lateral movement and further compromise of affected environments.
LiteLLM serves as a critical component in many AI and machine learning workflows, particularly in enterprise environments deploying language model integrations. Organizations using the compromised versions face immediate risk of credential theft and potential cloud infrastructure compromise.
This attack represents a continuation of TeamPCP's systematic targeting of open-source Python packages. The group has demonstrated consistent tactics across multiple package compromises, suggesting an organized effort to infiltrate software supply chains at scale.
Organizations should immediately:
Originally reported by Wiz Blog