The TeamPCP hacking group has launched a supply-chain attack by compromising the widely used “LiteLLM” Python package on PyPI and claiming to have accessed data from hundreds of thousands of devices during the breach.
LiteLLM is a popular open-source Python library that connects users to multiple significant language model (LLM) providers through a single API. The package sees high usage, with over 3.4 million downloads daily and more than 95 million in the last month.
Research from Endor Labs indicates that threat actors infiltrated the project and released malicious versions of LiteLLM 1.82.7 and 1.82.8 on PyPI. These versions contain an infostealer that harvests various sensitive data types.
TeamPCP, the hacking group responsible for breaching Aqua Security’s Trivy vulnerability scanner, has claimed responsibility for the attack. Their breach impacted Aqua Security Docker images, Checkmarx KICS project, and now LiteLLM.
Sources suggest that approximately 500,000 pieces of data were exfiltrated, many of them being duplicates. BleepingComputer could not independently verify these numbers.
Endor Labs reports that the malicious LiteLLM versions contain hidden payloads that execute upon package import. The malware is injected into ‘litellm/proxy/proxy_server.py’ and executes when the module is imported.
Version 1.82.8 introduces a more aggressive feature that installs a ‘.pth’ file named ‘litellm_init.pth’ in the Python environment. This enables the execution of malicious code whenever Python runs, even if LiteLLM is not in use.
The payload deploys the “TeamPCP Cloud Stealer” and a persistence script that carries out credential theft. The stolen data is encrypted and sent to a domain controlled by the attackers.
Credentials and authentication secrets harvested by the cloud stealer include SSH keys, cloud credentials, Kubernetes tokens, environmental files, database credentials, cryptocurrency wallet data, and more. The payload also includes a script disguised as a “System Telemetry Service” to communicate with a remote server.
Data is bundled into an encrypted archive and sent to attacker-controlled infrastructure. The exposed versions of LiteLLM have been removed from PyPI, with organizations urged to rotate all secrets, tokens, and credentials, and search for persistence artifacts and suspicious files on affected systems.
It is crucial to monitor and prevent further unauthorized access by threat actors. Experts recommend rotating credentials on impacted systems to mitigate the risk of cascading supply chain attacks.
