Popular LiteLLM PyPI Package Compromised in TeamPCP Supply Chain Attack

What happened

A LiteLLM PyPI package compromise in a TeamPCP supply chain attack led to the publication of two malicious versions of the package, 1.82.7 and 1.82.8, on March 24, 2026. According to Endor Labs, the compromised releases contained a hidden payload injected into litellm/proxy/proxy_server.py as a base64-encoded payload that executes when the package is imported. Version 1.82.8 also installed a .pth file named litellm_init.pth, allowing the malicious code to run whenever Python starts, even if LiteLLM is not specifically used. Once executed, the payload deployed a variant of TeamPCP Cloud Stealer and a persistence script. The malware harvested credentials, tokens, Kubernetes secrets, cloud credentials, database credentials, TLS private keys, CI/CD secrets, .env files, and cryptocurrency wallet data, then sent encrypted stolen data to attacker-controlled infrastructure. 

Who is affected

The direct exposure affects organizations and users that installed malicious LiteLLM versions 1.82.7 or 1.82.8 from PyPI. The stolen data described includes credentials and authentication material from impacted devices and environments, including cloud platforms, Kubernetes clusters, local systems, and development or deployment workflows. 

Why CISOs should care

This incident is operationally significant because the compromised package targeted widely used credentials and secrets and also included persistence and Kubernetes-related activity. For security leaders, the reported scope of harvested data means the impact may extend beyond the initial host to cloud, cluster, and application environments tied to exposed authentication material. 

3 practical actions:

1. Identify affected installs: Check immediately whether any systems installed LiteLLM versions 1.82.7 or 1.82.8 and confirm whether version 1.82.6 or another clean release is in use. 
2. Rotate exposed secrets: Treat secrets, tokens, and credentials used on or found within impacted devices as exposed and rotate them immediately. 
3. Hunt for persistence and cluster abuse: Search for ~/.config/sysmon/sysmon.py, related systemd services, suspicious files such as /tmp/pglog and /tmp/.pg_state, unauthorized pods in the kube-system namespace, and outbound traffic to known attacker domains. 

For more coverage of infostealers, loaders, and evolving malicious tooling, explore our reporting under the Malware tag.