TeamPCP Targets LiteLLM Package in Latest Supply Chain Campaign
The TeamPCP hacking group executed a sophisticated supply chain attack on March 24, 2026, compromising the widely-used LiteLLM Python package hosted on the Python Package Index (PyPI). The attackers successfully infiltrated the package's distribution mechanism, injecting malicious code into what developers believed were legitimate updates. LiteLLM serves as a unified interface for multiple large language model APIs, making it a high-value target due to its extensive adoption across enterprise and development environments.
Security researchers discovered the compromise after detecting anomalous network traffic patterns from systems running recent LiteLLM installations. The malicious versions contained obfuscated Python code designed to establish persistent backdoors and exfiltrate sensitive data from infected systems. TeamPCP embedded the payload within seemingly legitimate package functionality, making detection particularly challenging for automated security tools and manual code reviews.
The attack represents a continuation of TeamPCP's aggressive supply chain campaign that has targeted multiple open-source repositories throughout 2026. Security researchers have documented the group's evolving tactics, which include sophisticated social engineering techniques to gain maintainer access and advanced code obfuscation methods to evade detection systems.
PyPI administrators responded swiftly once the compromise was identified, removing the malicious package versions and implementing additional verification measures. However, the window of exposure lasted approximately 18 hours, during which thousands of automated installations occurred across development and production environments worldwide. The attackers demonstrated deep knowledge of Python packaging conventions and dependency management systems, suggesting significant preparation and reconnaissance phases preceding the attack.
Related: GitHub Accounts Breached in VS Code GlassWorm Aftermath
Related: Trivy Scanner Hit by Supply Chain Attack via GitHub Actions
Related: GlassWorm Supply Chain Attack Hits GitHub, npm, VSCode
Widespread Impact Across Development and Enterprise Environments
The LiteLLM compromise affects organizations and developers who installed or updated the package between March 23 and March 24, 2026. Given LiteLLM's role as a popular abstraction layer for AI model APIs, the affected user base spans multiple industries including technology companies, research institutions, and enterprises implementing AI-powered applications. Systems running LiteLLM versions 1.35.8 through 1.35.12 contain the malicious code, with automatic dependency updates potentially spreading the compromise to downstream applications and services.
TeamPCP claims to have successfully exfiltrated data from hundreds of thousands of devices, though independent verification of this scope remains ongoing. The stolen information allegedly includes API keys, configuration files, source code repositories, and system metadata that could facilitate additional attacks against affected organizations. Development environments appear particularly vulnerable, as LiteLLM installations often have elevated privileges and access to sensitive development resources including version control systems and deployment pipelines.
Enterprise users face heightened risk due to LiteLLM's common deployment in production AI services and automated workflows. The package's integration with major cloud AI platforms means compromised installations could potentially access customer data, model training datasets, and proprietary algorithms. Security analysis reveals that the malicious code specifically targeted environments with cloud service credentials, suggesting the attackers prioritized high-value enterprise targets over individual developer machines.
Immediate Response and Mitigation Steps for LiteLLM Users
Organizations must immediately audit their Python environments to identify and remove compromised LiteLLM installations. System administrators should execute 'pip list | grep litellm' to check installed versions and compare against the known malicious range of 1.35.8 through 1.35.12. Any systems running these versions require immediate isolation and forensic analysis to determine the extent of potential data compromise. The recommended remediation involves completely uninstalling the affected package using 'pip uninstall litellm' followed by a clean installation of the verified safe version 1.35.7 or the latest patched release.
Network monitoring teams should implement detection rules for the command-and-control infrastructure identified in the malicious code. The compromised packages establish connections to attacker-controlled domains using encrypted channels that mimic legitimate API traffic. Security teams must review firewall logs and network flow data for connections to suspicious external endpoints, particularly those exhibiting patterns consistent with data exfiltration activities. Additionally, organizations should rotate all API keys and credentials that may have been accessible to systems running the compromised LiteLLM versions.
Long-term security improvements require implementing software composition analysis tools that can detect supply chain compromises before deployment. Development teams should establish package verification procedures including cryptographic signature validation and dependency pinning to prevent automatic updates to potentially compromised versions. PyPI has enhanced its security measures following this incident, but organizations cannot rely solely on repository-level protections given the sophisticated nature of modern supply chain attacks targeting the open-source ecosystem.
