TeamPCP Compromises LiteLLM via Poisoned Trivy Security Scanner (2026)

Incident Summary

TeamPCP, a criminal group active since December 2025, compromised the LiteLLM AI proxy library on March 24, 2026, by first poisoning the Trivy security scanner’s GitHub Action on March 19 to exfiltrate PyPI publishing tokens from LiteLLM’s CI/CD pipeline.^[2] LiteLLM is downloaded approximately 3.4 million times daily from PyPI and is used by organizations including NASA, Netflix, and Stripe for routing requests across AI model providers.^[2] Two backdoored versions (1.82.7 and 1.82.8) were published within thirteen minutes of each other, containing credential-harvesting payloads that collected environment variables, SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes tokens, and database passwords, then encrypted and exfiltrated the data to a command-and-control domain.^[1][2] PyPI quarantined the compromised versions after approximately three hours, during which roughly 47,000 downloads occurred.^[1] Nine major AI projects including DSPy, MLflow, OpenHands, and CrewAI subsequently filed security patches due to ecosystem exposure.^[2]

Key Facts

• Attack chain: TeamPCP rewrote Git tags in the Trivy GitHub Action to point to malicious release v0.69.4, which harvested CI/CD credentials; when LiteLLM’s pipeline ran Trivy without pinned versions, the PYPI_PUBLISH token was exfiltrated^[2]
• Compromised versions: LiteLLM v1.82.7 (published 10:39 UTC) and v1.82.8 (published 10:52 UTC) on March 24, 2026^[1]
• Payload mechanism: Three-stage malware — (1) information collection targeting SSH keys, cloud credentials, and Kubernetes configs; (2) AES-256 encryption with RSA key wrapping and exfiltration to models.litellm.cloud; (3) persistence via systemd backdoor service and Kubernetes pod deployment^[2]
• Exposure window: Approximately three hours before PyPI quarantine^[1]
• Download scale: LiteLLM averages 3.4 million daily PyPI downloads; compromised versions received approximately 47,000 downloads during the exposure window^[2]
• Attribution: TeamPCP (aliases: PCPcat, Persy_PCP, ShellForce, DeadCatx3) used identical RSA key pairs across Trivy, KICS, and LiteLLM attacks, representing “Phase 09” of an ongoing multi-ecosystem campaign^[2]
• Ecosystem impact: Nine major AI projects filed security patches; LiteLLM engaged Google Mandiant for forensic analysis^[2][1]
• Remediation: Compromised packages removed from PyPI; maintainer credentials rotated; releases paused pending supply chain review; SHA-256 checksums published for verified releases^[1]

Threat Patterns Involved

Primary: AI Supply Chain Attack — TeamPCP executed a multi-stage supply chain compromise that cascaded from a security scanning tool (Trivy) to a widely deployed AI infrastructure library (LiteLLM). The attack exploited the trust relationship between CI/CD pipelines and their dependencies: by poisoning a security tool that projects integrate specifically to improve security, the attackers turned the software supply chain’s own defense mechanisms into an attack vector.

Secondary: Tool Misuse & Privilege Escalation — The compromised LiteLLM versions escalated from a package installation to full system compromise, deploying a three-stage payload that harvested credentials, established persistence via systemd backdoor services and Kubernetes pod deployment, and exfiltrated encrypted data to a command-and-control domain.

Significance

1. Cascading supply chain risk in AI infrastructure — The Trivy-to-LiteLLM attack chain demonstrates that AI infrastructure libraries inherit the security posture of every upstream dependency in their CI/CD pipeline, creating cascading failure paths that bypass the library’s own security practices
2. Security tools as attack vectors — The compromise of Trivy — a security scanner organizations integrate specifically to detect vulnerabilities — illustrates the particularly damaging potential of supply chain attacks that weaponize trust in security tooling itself
3. Speed of impact at AI scale — Three hours of exposure to a library downloaded 3.4 million times daily resulted in approximately 47,000 potentially compromised installations, highlighting the damage velocity possible when widely adopted AI infrastructure components are compromised
4. Organized criminal targeting of AI ecosystem — TeamPCP’s documented multi-phase campaign across PyPI, npm, Docker Hub, GitHub Actions, and OpenVSX represents systematic criminal targeting of the AI development ecosystem rather than opportunistic attacks