TL;DR
- A threat actor called TeamPCP backdoored LiteLLM, a popular AI development tool used by thousands of businesses, stealing credentials, cloud keys, and cryptocurrency wallets from anyone who installed the compromised versions [1].
- The attack exploited a weakness in the software's own security scanning pipeline (Trivy), turning a trusted CI/CD process into an attack vector — a pattern now hitting five different software ecosystems [2].
- Businesses adopting AI tools face growing software supply chain risks, with 245% more malicious packages detected on PyPI in 2025 compared to 2023 [3].
- Practical steps below to verify your software dependencies and protect your business from this expanding category of threat.
What Happened: A Trusted AI Tool Turned Hostile
On March 24, 2026, security researchers at Endor Labs and JFrog independently discovered that LiteLLM — a widely-used Python library that helps businesses connect to AI models from OpenAI, Anthropic, Google, and others — had been compromised [1] [4]. Two malicious versions (1.82.7 and 1.82.8) were pushed to PyPI, the main repository where Python developers download software packages.
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →The compromised versions contained a three-stage attack payload: a credential harvester that swept up SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and environment files; a lateral movement toolkit that spread across cloud infrastructure; and a persistent backdoor that checked in with an attacker-controlled server every 50 minutes [1].
According to Endor Labs researcher Kiran Raj, the payload was specifically designed for maximum reach: "The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor polling for additional binaries" [1].
Both malicious versions have been removed from PyPI, but any system that installed them during the window of compromise may still be affected.
Related: What the Langflow Vulnerability Teaches Every Business About AI Security
How the Attack Worked: Poisoning the Security Pipeline
What makes this incident particularly concerning is how the attacker gained access. TeamPCP — the same group behind recent compromises of Trivy and KICS, both popular open-source security scanning tools — exploited the fact that LiteLLM used Trivy in its automated build process [2]. When Trivy's GitHub Actions pipeline was compromised, that poisoned access cascaded downstream into every project that depended on it.
This is a supply chain attack in its purest form: rather than attacking LiteLLM directly, the attackers compromised a security tool that LiteLLM trusted. The irony is stark — a security scanner became the attack vector.
Socket Security confirmed that TeamPCP has now expanded across five different software ecosystems: GitHub Actions, Docker Hub, npm, Open VSX (VS Code extensions), and PyPI [5]. This breadth suggests a coordinated, well-resourced operation rather than an opportunistic attack.
Why This Matters for Your Business
According to research from Sonatype, software supply chain attacks surged 156% year-over-year in 2025, with the average enterprise using over 500 open-source dependencies across their applications [6]. The Australian Cyber Security Centre (ACSC) specifically flagged supply chain compromises as a top-tier threat to Australian businesses in their 2025 Annual Cyber Threat Report [7].
The LiteLLM attack is particularly relevant to businesses for three reasons:
AI adoption is accelerating. According to McKinsey's 2025 State of AI report, 72% of organisations have adopted AI in at least one business function, up from 55% in 2023 [8]. Every AI tool your business uses introduces dependencies — and each dependency is a potential attack surface.
Small and mid-sized businesses are disproportionately affected. Larger enterprises typically have dedicated security teams that monitor package registries and pin dependency versions. According to Verizon's 2025 Data Breach Investigations Report, businesses with fewer than 1,000 employees accounted for 46% of breaches involving compromised third-party software [9].
The damage extends beyond the initial compromise. Stolen cloud credentials give attackers access to everything those credentials protect — customer data, financial systems, proprietary business logic. According to IBM's 2025 Cost of a Data Breach Report, the average cost of a breach involving compromised credentials reached $4.81 million, with an average identification time of 292 days [10].
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →What To Do Right Now: A Practical Checklist
1. Check your Python environments for compromised packages. Run pip list | grep litellm on every system where Python is installed. If you see version 1.82.7 or 1.82.8, treat that system as compromised immediately.
2. Audit your dependency management. Use dependency locking (pip freeze > requirements.txt with hashes, or poetry.lock) so that packages cannot be silently updated to compromised versions without your explicit approval.
3. Implement software composition analysis (SCA). Tools like Snyk, Dependabot, or Socket.dev can automatically flag known-malicious packages before they reach your production systems.
4. Review your CI/CD pipeline trust boundaries. If your build process pulls in external tools automatically (as LiteLLM did with Trivy), each of those tools is a trust dependency. Map them. Monitor them.
5. Rotate credentials proactively. If any system in your environment installed Python packages between March 24-25, 2026, rotate all cloud credentials, SSH keys, and API tokens that were accessible on those systems.
6. Talk to your IT provider. If you outsource IT, ask them specifically: "How do you monitor for compromised software dependencies?" The answer tells you a lot about their security maturity.
Related: 80,000 Devices Wiped in Hours: What the Stryker Cyberattack Teaches About Cloud Security
The Bigger Picture: Building Business Resilience
The LiteLLM incident is part of a broader trend. As businesses adopt more AI tools, their software supply chains grow more complex — and more attractive to attackers. The National Institute of Standards and Technology (NIST) updated its Secure Software Development Framework (SSDF) in 2025 specifically to address the growing risk of dependency-based attacks [11].
Building resilience here is not about avoiding new technology. It is about adopting it with a clear-eyed understanding of the risks and the right controls in place. Businesses that manage their software dependencies proactively are better positioned to adopt AI tools confidently, move faster, and protect what they have built.
FAQ
LiteLLM is an open-source Python library that provides a unified interface to connect with AI models from multiple providers including OpenAI, Anthropic, and Google. It is used by developers and businesses building AI-powered applications, chatbots, and automation tools. The package has been downloaded millions of times from PyPI.
Check all Python environments in your organisation for LiteLLM versions 1.82.7 or 1.82.8. Run pip list | grep litellm on developer machines, servers, and any CI/CD build environments. If either version is present, assume compromise and begin incident response procedures including credential rotation.
A software supply chain attack occurs when an attacker compromises a trusted software component — like a library, tool, or update mechanism — to distribute malicious code to everyone who uses that component. Instead of attacking your business directly, attackers target something your business depends on. It is analogous to contaminating ingredients at a food supplier rather than breaking into individual restaurants.
Pin your software dependencies to specific, verified versions. Use dependency scanning tools (many offer free tiers). Keep an inventory of the software your business relies on. Work with an IT provider or security consultant who actively monitors these risks. The Australian Cyber Security Centre's Essential Eight framework includes application control measures that help mitigate supply chain risks [12].
Yes. TeamPCP first compromised Trivy and KICS — both security scanning tools from Checkmarx — and then used that access to attack downstream projects like LiteLLM that relied on Trivy in their automated build processes. This cascading pattern makes supply chain attacks particularly dangerous because compromising one widely-used tool can affect thousands of downstream projects [2].
References
[1] Endor Labs, "TeamPCP Isn't Done — LiteLLM Supply Chain Attack Analysis," Endor Labs Research, Mar. 24, 2026. [Online]. Available: https://www.endorlabs.com/learn/teampcp-isnt-done
[2] R. Lakshmanan, "TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise," The Hacker News, Mar. 24, 2026. [Online]. Available: https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
[3] Sonatype, "2025 State of the Software Supply Chain Report," Sonatype, 2025. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain
[4] JFrog, "LiteLLM Compromised by TeamPCP — Supply Chain Attack Analysis," JFrog Security Research, Mar. 24, 2026. [Online]. Available: https://research.jfrog.com/post/litellm-compromised-teampcp/
[5] Socket Security, "TeamPCP Targeting Security Tools Across OSS Ecosystem," Socket Blog, Mar. 2026. [Online]. Available: https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem
[6] Sonatype, "2025 State of the Software Supply Chain — Enterprise Dependency Analysis," Sonatype, 2025. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain
[7] Australian Cyber Security Centre, "Annual Cyber Threat Report 2024-2025," Australian Signals Directorate, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report
[8] McKinsey & Company, "The State of AI in 2025," McKinsey Global Institute, 2025. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai
[9] Verizon, "2025 Data Breach Investigations Report," Verizon Enterprise, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[10] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[11] NIST, "Secure Software Development Framework (SSDF) Version 1.2," NIST SP 800-218, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-218/final
[12] Australian Cyber Security Centre, "Essential Eight Maturity Model," Australian Signals Directorate, 2025. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
Your business is adopting AI tools — make sure your software supply chain is secure. Book a consultation with lilMONSTER to get a clear picture of your dependency risks and build resilience into your technology stack.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Bad actors snuck harmful code into a popular AI tool called LiteLLM that thousands of businesses use [1].
- The attack stole passwords, secret keys, and digital wallets from anyone who installed the poisoned version [1].
- They did it by first compromising a security tool that LiteLLM trusted — like poisoning the water at the treatment plant [2].
- Here is what it means for your business and how to stay safe.
What Is LiteLLM?
Imagine you run a restaurant and instead of ordering from one food supplier, you want to compare prices from ten different ones. LiteLLM is like a universal ordering app that lets businesses talk to different AI services — ChatGPT, Claude, Gemini — all through one simple connection.
Thousands of companies use it to build AI features into their products [1].
What Went Wrong?
A group of hackers called TeamPCP figured out something clever. Instead of breaking into LiteLLM directly, they first broke into a security scanner called Trivy — a tool that LiteLLM used to check itself for bugs [2].
Think of it this way: imagine a locksmith who checks all the locks in your building gets compromised. Now the attacker does not need to pick any locks — they have the locksmith's master key.
Once inside, TeamPCP published two fake versions of LiteLLM (versions 1.82.7 and 1.82.8) to PyPI, the online store where developers download software [1]. Anyone who downloaded these versions unknowingly installed malware that:
- Collected passwords and secret keys stored on their computers [1]
- Spread to other computers on the same network [1]
- Set up a hidden door that let the hackers come back anytime they wanted [1]
Why Should You Care?
You might not use LiteLLM directly, but your business probably relies on software that works the same way — built from dozens of smaller pieces, each one downloaded from the internet.
According to security research firm Sonatype, attacks on these software building blocks increased by 156% in just one year [3]. And IBM found that when hackers steal login credentials this way, the average cleanup cost is $4.81 million [4].
The Australian Cyber Security Centre has flagged these kinds of attacks as one of the top threats businesses face today [5].
What Can You Do?
Ask your IT team or provider three questions:
"Do we pin our software to specific versions so updates do not happen automatically?" — This stops poisoned updates from sneaking in.
"Do we have tools that scan our software for known threats?" — Free and paid tools exist that check every package you download against a database of known attacks [6].
"If a tool we depend on gets compromised, how quickly would we know?" — The answer tells you whether your business would catch something like this in hours or months.
If you do not have an IT team: Start by keeping an inventory of the software your business uses. Know what you depend on. That awareness alone puts you ahead of most small businesses.
The Simple Takeaway
Every AI tool and every piece of software your business uses is built from smaller parts. If any of those parts gets poisoned, the whole thing becomes dangerous. The best protection is knowing what you depend on and having someone who watches for these threats.
It is like food safety — you trust your suppliers, but smart restaurants still check what arrives at the loading dock.
FAQ
Instead of attacking your business directly, hackers attack the tools or software your business depends on. When you update or install that trusted software, you unknowingly install the attacker's code too. It is like someone tampering with ingredients at a factory — every product made with those ingredients gets affected.
If anyone in your organisation uses Python and has LiteLLM installed, check the version number. Versions 1.82.7 and 1.82.8 were the compromised ones. Run pip list | grep litellm to check. If you see those versions, contact an IT professional immediately.
Very common and growing fast. Sonatype tracked a 156% increase in software supply chain attacks in 2025 [3]. The LiteLLM incident is the fifth software ecosystem TeamPCP has targeted, showing these attackers are becoming more ambitious [2].
No. AI tools can genuinely help your business work smarter and save money. The key is using them with proper safeguards — verified versions, dependency scanning, and regular security reviews. Think of it like driving: cars are useful, but you still wear a seatbelt.
References
[1] Endor Labs, "TeamPCP Isn't Done — LiteLLM Supply Chain Attack Analysis," Endor Labs Research, Mar. 24, 2026. [Online]. Available: https://www.endorlabs.com/learn/teampcp-isnt-done
[2] R. Lakshmanan, "TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise," The Hacker News, Mar. 24, 2026. [Online]. Available: https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
[3] Sonatype, "2025 State of the Software Supply Chain Report," Sonatype, 2025. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain
[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[5] Australian Cyber Security Centre, "Annual Cyber Threat Report 2024-2025," Australian Signals Directorate, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report
[6] Socket Security, "TeamPCP Targeting Security Tools Across OSS Ecosystem," Socket Blog, Mar. 2026. [Online]. Available: https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem
[7] JFrog, "LiteLLM Compromised by TeamPCP — Supply Chain Attack Analysis," JFrog Security Research, Mar. 24, 2026. [Online]. Available: https://research.jfrog.com/post/litellm-compromised-teampcp/
[8] McKinsey & Company, "The State of AI in 2025," McKinsey Global Institute, 2025. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai
Wondering if your business software is safe? Talk to lilMONSTER — we help businesses understand their technology risks in plain language.
