How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM

2026-03-24 · Source: Blog RSS Feed | Snyk · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Artificial Intelligence & Machine Learning · Depth: Advanced, long

Summary

On March 24, 2026, malicious versions 1.82.7 and 1.82.8 of the `litellm` Python package were found on PyPI, published by TeamPCP. The threat actor obtained LiteLLM's PyPI credentials by compromising a Trivy GitHub Action within LiteLLM's CI/CD pipeline. These versions, available for approximately three hours, contained a three-stage payload: a credential harvester, encrypted exfiltration to `models.litellm.cloud`, a persistent `sysmon.py` backdoor, and a Kubernetes worm. Version 1.82.7 injected code into `proxy_server.py`, while 1.82.8 used a `.pth` file for execution on every Python interpreter startup, leading to a fork bomb that aided discovery. This incident is Phase 09 of an ongoing TeamPCP campaign, which previously targeted Trivy and Checkmarx KICS, utilizing consistent attack infrastructure.

Key takeaway

For MLOps Engineers or AI Security Engineers managing Python dependencies and CI/CD pipelines, this incident underscores the critical risk of unpinned versions. If your systems installed `litellm` 1.82.7 or 1.82.8, immediately follow the remediation steps: check for persistence artifacts, rotate all affected credentials (SSH, cloud, API keys), and install a clean version on a fresh environment. Proactively, you must pin all CI/CD dependencies to exact versions to prevent similar supply chain compromises.

Key insights

Compromised CI/CD tools can enable supply chain attacks by exfiltrating publisher credentials to inject malicious code into legitimate packages.

Principles

• Unpinned CI/CD dependencies pose significant supply chain risks.
• `.pth` files provide a stealthy, persistent Python execution vector.
• Legitimate credentials bypass standard package integrity checks.

Method

Attackers exploited a poisoned CI/CD scanner to steal PyPI credentials, then published malicious `litellm` versions with a multi-stage payload for credential harvesting, encrypted exfiltration, and Kubernetes lateral movement.

In practice

• Pin all CI/CD pipeline dependencies to exact versions.
• Implement frequent rotation of package registry credentials.
• Scan for suspicious `.pth` files and systemd persistence artifacts.

Topics

• Supply Chain Attack
• PyPI Security
• CI/CD Security
• LiteLLM
• Credential Exfiltration
• Kubernetes Security

Code references

• aquasecurity/trivy-action
• BerriAI/litellm
• python/cpython
• stanfordnlp/dspy
• mlflow/mlflow

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, Software Engineer

Related on AIssential

• LiteLLM Supply Chain Attack: What Happened, Who’s Affected, and What You Should Do Right Now — A litellm supply chain attack compromised PyPI, exfiltrating credentials via malicious package versions.
• Valid certificates, stolen accounts: how attackers broke npm's last trust signal — Automated trust signals in developer tools are broken by credential theft and design flaws, enabling widespread supply chain attacks.
• Delve did the security compliance on LiteLLM, an AI project hit by malware — Open-source projects face significant supply chain risks, even with security certifications.
• PyPI supply chain attack impacts data/ML pipelines (elementary-data) — A GitHub Actions flaw led to a PyPI supply chain attack using a ".pth" file for stealthy code execution.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• Popular Codex package caught exfiltrating authentication credentials — Malicious npm packages can embed credential exfiltration, exploiting trust and persistent tokens for indefinite access.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Blog RSS Feed | Snyk.