Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise

TeamPCP, a criminal threat actor group, orchestrated a sophisticated multi-ecosystem supply chain attack that compromised LiteLLM, a Python package downloaded 3.4 million times daily used as a unified AI proxy gateway. Two malicious versions (1.82.7 and 1.82.8) were published to PyPI containing a three-stage payload: a credential harvester targeting 50+ secret categories (SSH keys, cloud credentials, Kubernetes secrets, LLM API keys), a Kubernetes lateral movement toolkit, and a persistent backdoor polling a C2 server every 50 minutes. The attack originated from a compromised Trivy security scanner GitHub Action, whose stolen CI/CD tokens cascaded through npm, Docker Hub, Checkmarx KICS, and finally LiteLLM. The malware used AES-256-CBC + RSA-4096 hybrid encryption for exfiltration and a YouTube URL kill switch for global deactivation. The compromise was accidentally discovered due to a fork bomb bug in the payload. Defenders should rotate all credentials on affected systems, pin dependencies with hash verification, monitor for .pth file creation in site-packages, and audit transitive dependencies.