TeamPCP orchestrated one of the most sophisticated multi-ecosystem supply chain campaigns publicly documented to date. It cascaded through developer tooling and compromised LiteLLM and exposed how AI proxy services that concentrate API keys and cloud credentials become high-value collateral when supply chain attacks compromise upstream dependencies.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

TeamPCP, a criminal threat actor group, orchestrated a sophisticated multi-ecosystem supply chain attack that compromised LiteLLM, a Python package downloaded 3.4 million times daily used as a unified AI proxy gateway. Two malicious versions (1.82.7 and 1.82.8) were published to PyPI containing a three-stage payload: a credential harvester targeting 50+ secret categories (SSH keys, cloud credentials, Kubernetes secrets, LLM API keys), a Kubernetes lateral movement toolkit, and a persistent backdoor polling a C2 server every 50 minutes. The attack originated from a compromised Trivy security scanner GitHub Action, whose stolen CI/CD tokens cascaded through npm, Docker Hub, Checkmarx KICS, and finally LiteLLM. The malware used AES-256-CBC + RSA-4096 hybrid encryption for exfiltration and a YouTube URL kill switch for global deactivation. The compromise was accidentally discovered due to a fork bomb bug in the payload. Defenders should rotate all credentials on affected systems, pin dependencies with hash verification, monitor for .pth file creation in site-packages, and audit transitive dependencies.

Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise