Researchers at Endor Labs, have discovered a supply chain attack on the popular Python package LiteLLM on PyPI, with malicious code injected into versions 1.82.7 and 1.82.8, which have been withdrawn.
The package is used in AI environments and developer tools, with an estimated 95 million downloads per month.
The malicious packages included credential-stealing malware, including a .pth file that can run automatically when Python is started, enabling bad actors to harvest SSH keys, cloud credentials, API keys, and environment variables from infected systems.
In some cases, the malware was also designed to access Kubernetes secrets and implant persistent backdoors on the compromised systems.
The incident has been linked to the TeamPCP threat group, which has targeted software supply chains and developer tooling before. The researchers reported that the attackers used compromised publishing credentials to spread the malicious packages, potentially collecting data from hundreds of thousands of devices.
A trust decision
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity at Suzu Labs, says: “Every third-party dependency is a trust decision. The LiteLLM compromise demonstrates what happens when that trust is granted by default and at scale.”
He says TeamPCP did not need to attack LiteLLM directly. “They compromised Trivy, a vulnerability scanner running inside LiteLLM’s CI pipeline without version pinning. That single unmanaged dependency handed over the PyPI publishing credentials, and from there the attacker backdoored a library that serves 95 million downloads per month. One dependency. One chain reaction. Five supply chain ecosystems compromised in under a month.”
Krell calls the pattern ‘instructive’. “TeamPCP has exclusively targeted security adjacent tools. A vulnerability scanner, an infrastructure as code analyzer, and now an LLM proxy that handles API keys by design. These tools run with broad access because that is how they function. Compromising one hands the attacker every credential and secret that tool was trusted to touch.
Dependencies deserve the same scrutiny
“This incident forces a broader conversation about how organizations treat their dependency graph. Zero trust has been applied to users, devices, and networks. Dependencies deserve the same scrutiny. Every imported library, build tool, and CI plugin carries implicit trust that is rarely evaluated with the same rigor applied to a new network connection or user account. At enterprise scale, this creates compounding technical debt where a single compromised package can cascade across the entire environment,” he adds.
“The cost of building capability in house has dropped significantly. Organizations have more options to reduce their dependency surface than they did even two years ago. Dependencies that were once unavoidable are now choices. Where a third party library handles sensitive credentials, routes API traffic, or runs inside a build pipeline, organizations should be asking whether the risk of importing that dependency outweighs the cost of building and maintaining the capability internally. For the dependencies that remain, strict service level agreements, continuous verification, and the same zero trust posture applied to any other external input are the minimum standard. The dependency graph is part of the attack surface. Treating it as anything less is how cascading compromises happen.”
“Blind-trust” engineering
Noelle Murata, Sr. Security Engineer at Xcape Inc, adds: “The LiteLLM incident is a textbook example of “blind-trust” engineering, where the convenience of a one-line install command outweighs basic cryptographic integrity. The business impact here is a complete loss of environment isolation, as a single unverified pip install can transition an attacker from a developer’s terminal to the core of a Kubernetes cluster in seconds.”
Murata says we should care because the industry’s reliance on public repositories without local hash verification or “lockfiles” has effectively turned the Internet into an unvetted production dependency. This breach succeeded because many businesses treat PyPI as a trusted internal mirror instead of a public, high-risk source of untrusted code.
“To remediate this, defenders must move beyond reactive patching and enforce the use of signed software bills of materials (SBOMs) and private package registries that require mandatory hash pinning and pre-install scanning. If your CI/CD pipelines are pulling directly from the public Internet without validating a requirements.txt against known-good hashes, you have effectively outsourced your root access to anyone who can phish a single package maintainer,” Murata continues.
“Installing unvetted packages from the Internet is essentially the digital equivalent of eating a sandwich you found on the subway and being surprised when you get food poisoning.”
An accelerating pattern
Rajeev Raghunarayan, Head of GTM at Averlon, comments: “The LiteLLM compromise reflects an accelerating pattern: attackers using compromised publishing credentials to inject malicious code into widely used libraries, turning trusted dependencies into distribution mechanisms for credential-stealing malware.”
Raghunarayan says what makes incidents like this dangerous is the scope of access they expose. “Cloud credentials, API tokens, and Kubernetes secrets don’t just represent a single point of compromise. They create pathways into the broader infrastructure those credentials connect to. This is the pattern organizations need to plan for. The initial compromise is rarely where the real damage happens. It’s where the attack chain begins.”
Software risk is expanding
Ryan McCurdy, VP of Marketing at Liquibase, adds that incidents like this are a reminder that in the AI era, software supply chain risk is expanding faster than most control models. “When widely used developer and AI tooling is compromised, the blast radius can move quickly across credentials, cloud environments, and production systems.
“The lesson for enterprise teams is bigger than any one package: governance has to extend across how change is introduced, validated, promoted, and audited. Speed without control is not modernization. It is exposure.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.