The compromised packages, linked to the Trivy breach, executed a three‑stage payload targeting AWS, GCP, Azure, Kubernetes configs, SSH keys, and automation pipelines before being removed.

InfoWorld is a source of news, analysis, and commentary on technology trends, IT strategies, and business innovation. With a focus on enterprise technology and digital transformation, InfoWorld offers insights and guidance for IT decision-makers, software developers, and technology professionals. From  articles on cloud computing and cybersecurity to product reviews and industry trends, InfoWorld helps readers navigate the complexities of modern IT environments and make informed decisions to drive business success.

InfoWorld

Two malicious versions of LiteLLM (1.82.7 and 1.82.8) were briefly published on PyPI as part of the TeamPCP supply chain campaign, which previously compromised the Trivy vulnerability scanner. The packages embedded a three-stage payload that harvested environment variables, SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configs, CI/CD secrets, Docker configs, database credentials, and cryptocurrency wallets. Data was encrypted with AES-256-CBC and exfiltrated to attacker-controlled servers. The packages were live for roughly two hours but given LiteLLM's 3 million daily downloads, exposure could be significant. PyPI advises anyone who installed the affected versions to immediately revoke and rotate all credentials accessible to the LiteLLM environment. Wiz reports LiteLLM is present in 36% of cloud environments, and researchers link the campaign to LAPSUS$.

PyPI warns developers after LiteLLM malware found stealing cloud and CI/CD credentials