LiteLLM
LiteLLM was compromised in a March 2026 software supply-chain campaign attributed in the provided reporting to TeamPCP, also tracked as DeadCatx3, PCPcat, ShellForce, CanisterWorm, and in one report as UNC6780. Using credentials reportedly stolen from LiteLLM’s CI/CD pipeline after that pipeline ran unpinned Trivy during the broader TeamPCP campaign, attackers published trojanized LiteLLM versions 1.82.7 and 1.82.8 to PyPI on March 24, 2026. The malicious code executed via Python: in version 1.82.7 it ran when importing litellm.proxy.proxy_server, while version 1.82.8 added litellm_init.pth, causing execution automatically on Python interpreter startup via Python’s site module without requiring an import.
Across the provided sources, the LiteLLM payload is described as a base64-decoded Python stealer consistent with TeamPCP tooling. Reported capabilities include host fingerprinting, filesystem credential theft, scraping secrets from CI/CD and developer environments, collecting cloud and Kubernetes credentials, SSH material, Docker and registry credentials, .env files, shell histories, and other sensitive files. Multiple reports state the broader TeamPCP malware also scraped GitHub Actions Runner.Worker process memory via /proc/<pid>/mem to recover secrets, queried cloud metadata services, and on non-CI Linux systems established persistence by dropping Python scripts under paths such as ~/.config/sysmon/ or ~/.local/share/pgmon/ and creating user-level systemd services. One mention context specifically describes persistence via a sysmon.service polling checkmarx.zone/raw. The campaign also reportedly supported fallback exfiltration through GitHub repository and release creation using stolen GitHub tokens.
For LiteLLM specifically, the provided content associates command-and-control and exfiltration with models.litellm.cloud, and one report states exfiltration used the HTTP header X-Filename: tpcp.tar.gz. Other mention contexts describe a triple-nested base64 payload and Kubernetes lateral movement tooling. The malicious LiteLLM releases were published to PyPI using stolen credentials and were later quarantined by PyPI on March 24, 2026. High-confidence affected versions directly mentioned in the content are 1.82.7 and 1.82.8.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The attackers then published malicious versions 1.82.7 and 1.82.8 directly to PyPI, bypassing the normal release process. The malware used a Python .pth file... every python, pip, or pytest command would trigger the credential stealer.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
7 techniques
Initial Access
Using these stolen publish tokens, the attackers hit PyPI to push versions 1.82.7 and 1.82.8 of LiteLLM... It authenticated to the GitHub API using the victim’s own stolen PAT
The attackers validated cloud keys taken from the Trivy, LiteLLM, and Checkmarx KICS compromises and used them to access cloud services, enumerate infrastructure, run commands inside containers, and exfiltrate sensitive data.
Following LiteLLM-driven credential theft, attackers reportedly use a compromised Tailscale VPN credential for initial access to Mercor’s infrastructure.
The irony is that Mercor was hacked via a third-party open source tool called LiteLLM.
Earlier this month, Mercor said that it was "one of thousands of companies" affected by the LiteLLM supply-chain attack.
The severity of this dependency was demonstrated in March 2026, when attackers compromised the LiteLLM package through dependency confusion, injecting malicious code directly into the request-handling pipeline of every deployment that pulled the poisoned release.
Execution
4 techniques
Execution
The threat actor modified these workflows to execute malicious code during CI runs...
Packages contain a three-stage credential harvesting payload embedded via a .pth auto-execution file... The malicious LiteLLM package didn’t run obvious, easily-flagged code. It used a .pth file... that auto-executes on interpreter startup.
The LiteLLM payload bypassed standard SAST tools through a technique known as .pth file injection . When a package containing a .pth file is installed in the Python site-packages directory, the interpreter automatically reads it during initialization before the primary script is ever executed or imported.
Persistence
7 techniques
Persistence
The malware leveraged a .pth file, which executes automatically during Python interpreter startup. This means the payload runs in most Python processes without needing the package to be explicitly imported
Using these stolen publish tokens, the attackers hit PyPI to push versions 1.82.7 and 1.82.8 of LiteLLM... It authenticated to the GitHub API using the victim’s own stolen PAT
The attackers validated cloud keys taken from the Trivy, LiteLLM, and Checkmarx KICS compromises and used them to access cloud services, enumerate infrastructure, run commands inside containers, and exfiltrate sensitive data.
Following LiteLLM-driven credential theft, attackers reportedly use a compromised Tailscale VPN credential for initial access to Mercor’s infrastructure.
These packages contained credential-stealing and backdoor code designed to harvest SSH keys, cloud credentials, Kubernetes secrets, database credentials, environment variables, and other sensitive data, while establishing persistent access to attacker-controlled infrastructure.
Privilege Escalation
5 techniques
Privilege Escalation
The malware leveraged a .pth file, which executes automatically during Python interpreter startup. This means the payload runs in most Python processes without needing the package to be explicitly imported
Using these stolen publish tokens, the attackers hit PyPI to push versions 1.82.7 and 1.82.8 of LiteLLM... It authenticated to the GitHub API using the victim’s own stolen PAT
The attackers validated cloud keys taken from the Trivy, LiteLLM, and Checkmarx KICS compromises and used them to access cloud services, enumerate infrastructure, run commands inside containers, and exfiltrate sensitive data.
Stealth
5 techniques
Stealth
The TeamPCP payload dropped a heavily obfuscated Base64-encoded execution string into a hidden .pth file ... During the Bitwarden CLI compromise on April 22, the core payload bw1.js was a massive 9.7 MB file processed through obfuscator.io, utilizing a 43,436-entry string lookup table
Using these stolen publish tokens, the attackers hit PyPI to push versions 1.82.7 and 1.82.8 of LiteLLM... It authenticated to the GitHub API using the victim’s own stolen PAT
The attackers validated cloud keys taken from the Trivy, LiteLLM, and Checkmarx KICS compromises and used them to access cloud services, enumerate infrastructure, run commands inside containers, and exfiltrate sensitive data.
The LiteLLM payload bypassed standard SAST tools through a technique known as .pth file injection . When a package containing a .pth file is installed in the Python site-packages directory, the interpreter automatically reads it during initialization before the primary script is ever executed or imported.
Credential Access
4 techniques
Credential Access
When the compromised action ran, it harvested LiteLLM’s PyPI publishing token.
The payload searched for and exfiltrated over 50 categories of secrets SSH keys, AWS and GCP access tokens, Kubernetes secrets, crypto wallet keys, .env files, and API credentials for LLM providers like OpenAI, Anthropic, and Cohere.
Discovery
2 techniques
Discovery
Collection
3 techniques
Collection
The TeamPCP malware specifically sought out these directories, intercepting proprietary prompts and unencrypted model weights directly from the development lifecycle.
Command and Control
1 technique
Command and Control
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A trojanized Python package used for supply-chain compromise. It leveraged .pth file injection to execute on interpreter startup, exfiltrate data, and in some cases establish persistence on developer systems.
Referenced as a prior malicious package in the same TeamPCP supply-chain campaign series. The same RSA key and exfiltration format are said to appear in the LiteLLM and telnyx attacks.
Compromised PyPI package releases published with stolen CI/CD credentials as part of the TeamPCP supply-chain campaign.
In this content, LiteLLM is discussed as a compromised package/tool in the TeamPCP supply chain campaign associated with secret theft and exfiltration from CI/CD environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.