The hacker group TeamPCP uploaded two malicious versions of the popular Python library LiteLLM to PyPI. Using a previously compromised version of the vulnerability scanner Trivy, the attackers stole LiteLLM’s publication tokens. They then exfiltrated AI keys, cloud credentials, and SSH keys from affected systems.
The supply chain attack on LiteLLM did not start with LiteLLM itself. TeamPCP first compromised Trivy, a widely used open-source vulnerability scanner, by spoofing commits from legitimate maintainers. The attackers then pushed a malicious version to the Trivy repository, which was distributed via an automated release pipeline to GitHub Releases, Docker Hub, and Amazon ECR.
LiteLLM used Trivy in its CI/CD pipeline. Because the infected binary had access to the CI/CD runner’s memory, the attackers were able to steal the PYPI_PUBLISH token. Using that token, they published two malicious versions of LiteLLM—1.82.7 and 1.82.8—directly to PyPI, bypassing the official source code repository.
LiteLLM serves as a unified gateway to over 100 LLM providers, including OpenAI, Anthropic, and Azure. That makes it a particularly attractive target. A compromise grants access to API keys for all those providers at once. Research by Hunt.io revealed that over 33,000 internet-facing LiteLLM instances were active at the time. The attack was assigned CVE number CVE-2026-33634 with a CVSS score of 9.4.
Two injection methods, three attack phases
The two versions used different techniques. Version 1.82.7 injected a Base64-encoded payload directly into proxy_server.py, which was executed as soon as the LiteLLM proxy started. Version 1.82.8 was more subtle: it added a .pth file to site-packages, causing the malware to activate every time the Python interpreter started, regardless of whether LiteLLM was explicitly imported. A simple command was sufficient to activate the payload on all subsequent Python processes.
The payload operated in three phases. First, the malware collected environment variables and configuration files from cloud providers and AI services: OpenAI, Anthropic, and Azure keys; AWS/GCP/Azure credentials; and local files such as ~/.kube/config and ~/.aws/credentials. Next, the code encrypted the stolen data using AES-256-CBC and sent everything as tpcp.tar.gz to a C2 server via curl. Finally, the malware installed a backdoor via a PERSIST_B64 payload that fetched instructions from a remote domain every 50 minutes to execute new code.
Tip: Checkmarx Jenkins plugin compromised in new supply chain attack