Major Security Event: Supply Chain Compromise in LiteLLM Versions 1.82.7 and 1.82.8

A supply chain compromise that impacted the Python package LiteLLM, with malicious versions 1.82.7 and 1.82.8 was published to PyPI on March 24, 2026. Bitsight Threat Intelligence, public reporting and vendor disclosures indicate the malicious releases included credential harvesting, Kubernetes-focused lateral movement, and persistence mechanisms, creating serious risk for cloud-native and AI-related environments that installed or ran the affected versions.

Vulnerability overview

This is a malicious package / supply chain compromise, not a traditional CVE-tracked vulnerability. Bitsight research and open source reporting indicate that two malicious LiteLLM versions, 1.82.7 and 1.82.8, were published to PyPI on March 24, 2026, likely stemming from the package’s use of Trivy in its Continuous Integration/Continuous Delivery (deployment) (CI/CD) workflow. Both backdoored versions have since been removed from PyPI.

The malicious releases contained a three-stage payload consisting of a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. According to public reporting, harvested data was packaged into an encrypted archive named tpcp.tar.gz and exfiltrated via HTTPS POST to models.litellm[.]cloud. The credential harvester targeted Secure Shell (SSH) keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files. The Kubernetes component deployed privileged pods across cluster nodes, while the persistence mechanism installed a systemd backdoor (sysmon.service) that polled attacker-controlled infrastructure for additional binaries.

In v1.82.7, the malicious code was embedded in litellm/proxy/proxy_server.py, reportedly injected during or after the wheel build process, and executed at module import time. In v1.82.8, the attack used a more aggressive mechanism: a malicious litellm_init.pth file placed at the wheel root, causing execution automatically at Python interpreter startup. Public reporting further states that the .pth launcher spawned a child Python process via subprocess.Popen, allowing the payload to run in the background without user interaction.

According to Bitsight Threat Intelligence

Bitsight’s Activity Index helps transform threat actor profiles from static reference pages into dynamic intelligence views by quantifying whether a threat group’s activity is increasing, declining, or holding steady. This gives TI teams a way to asses not just who an adversary is, but how much of a threat they may pose.

This index includes three key measures:

• Recent change, which reflects shifts in the group’s activity relative to its own prior baseline
• Peer comparison, which measures activity against similar threat groups
• Global benchmark, which compares the group against all tracked adversarial entities

For TeamPCP, Bitsight portal telemetry shows a notable surge in activity:

• +100% increase in recent activity
• +300% higher activity vs similar threat groups
• +300% higher activity vs all adversarial entities

Taken together, these metrics indicate a threat actor operating at a heightened pace, reinforcing the assessment that this campaign is active, expanding, and worthy of immediate attention.

Technical overview

• Vulnerability Type: Supply Chain Compromise / Malicious Package
• Affected Component: LiteLLM (v1.82.7, v1.82.8)
• Potential Impact: Credential theft, Kubernetes compromise, persistence

Observed capabilities

Credential Harvesting

Targets SSH keys, cloud credentials, Kubernetes secrets, .env files, and cryptocurrency wallets. Harvested data was reportedly packaged into an encrypted archive (tpcp.tar.gz) and exfiltrated via HTTPS POST to models.litellm[.]cloud.

Kubernetes Lateral Movement

Uses the Kubernetes service account token, if present, to enumerate nodes and deploy privileged pods across cluster nodes.

Persistence Mechanism

Installs a systemd service (sysmon.service) that periodically retrieves follow-on payloads from attacker-controlled infrastructure.

Execution Methods

• v1.82.7: Triggered on module import through malicious code embedded in litellm/proxy/proxy_server.py
• v1.82.8: Triggered at Python startup through a malicious litellm_init.pth file, which reportedly spawns a child Python process via subprocess.Popen to run the payload in the background

Why this matters

LiteLLM is used in modern AI and cloud environments where applications often have access to sensitive credentials, environment variables, and cloud infrastructure. A malicious package in this position can expose secrets, enable lateral movement, and create downstream risk far beyond a single host or container.

Because the payload executes automatically and requires no user interaction, organizations may be compromised simply by installing or running the affected versions. The Kubernetes-focused functionality also raises the risk of rapid spread across clustered environments.

Impact to organizations

Affected organizations may experience:

• Exposure of sensitive credentials and secrets
• Unauthorized access to cloud and production environments
• Kubernetes cluster compromise and node-level persistence
• Lateral movement across infrastructure
• Long-term persistence enabling follow-on attacks
• Potential downstream supply chain impact affecting partners and customers

Recommendations

Immediate Remediation

Remove LiteLLM versions 1.82.7 and 1.82.8 and replace them with a verified clean version.

Credential Rotation

Rotate all potentially exposed credentials, including API keys, tokens, SSH keys, cloud credentials, and secrets stored in environment variables or config files.

Environment Investigation

Isolate affected systems and conduct forensic review to determine the extent of compromise.

Kubernetes Review

Audit clusters for unauthorized or privileged pods, review service account permissions, and investigate unusual node-level activity.

Network Monitoring

Review traffic for connections to known reported infrastructure, including:

• models.litellm[.]cloud
• checkmarx[.]zone

Persistence Removal

Identify and remove suspicious systemd services and unknown scripts, including artifacts associated with sysmon.service or sysmon.py.

Threat landscape & context

Public reporting links this activity to TeamPCP, a threat actor previously associated with compromises involving tools such as Trivy and KICS. According to Bitsight Threat Intelligence on March 19, 2026, TeamPCP was described as compromising Aqua Security’s Trivy vulnerability scanner, using a credential stealer in GitHub Actions, release binaries, and Docker Hub images, with resulting exposure of cloud credentials and SSH keys across CI/CD pipelines. The LiteLLM incident appears to be part of a broader campaign targeting software supply chains across multiple ecosystems, including PyPI, GitHub Actions, Docker Hub, npm, and Open VSX.

How Bitsight TI and TPRM support you

• Threat Monitoring: Track activity spikes and emerging attacker behavior
• Campaign Correlation: Connect this incident to broader supply chain campaigns
• External Exposure Detection: Identify exposed assets and dependencies
• Third-Party Risk Management: Assess vendor exposure and potential cascading supply chain risk

Conclusion / call to action

The LiteLLM incident underscores the growing risk of software supply chain attacks targeting high-leverage developer tools and cloud-native infrastructure. Given the automated execution, credential access, Kubernetes propagation, and persistence mechanisms observed here, organizations should assume significant risk if the affected versions were installed or run.

Immediate action should focus on removing malicious versions, rotating credentials, reviewing Kubernetes environments, and investigating for persistence. With elevated threat actor activity reflected in Bitsight telemetry and evidence of broader campaign expansion, this incident warrants urgent remediation and continued monitoring. To learn more about this incident or speak with a Bitsight CTI expert, contact us today.

To learn more about this incident or speak with a Bitsight CTI expert, contact us today.