TeamPCP, the group responsible for attacking Trivy and KICS, recently compromised the popular Python package litellm by releasing two malicious versions on PyPI. These tainted updates, versions 1.82.7 and 1.82.8, included a sophisticated toolkit designed to harvest credentials, move laterally through Kubernetes clusters, and establish a persistent backdoor.
Security researchers from Endor Labs and JFrog discovered that the compromise likely originated from litellm's use of a compromised version of Trivy within its CI/CD pipeline. The attack unfolded in three distinct stages, starting with a broad sweep for SSH keys, cloud credentials, and Kubernetes secrets. Once gathered, this sensitive data was bundled into an encrypted archive and exfiltrated to a command-and-control domain disguised to look like a legitimate litellm service.
In the first malicious iteration, version 1.82.7, the threat actors embedded their code within a specific proxy server file. This ensured that the payload would trigger automatically whenever the module was imported, requiring no direct interaction from the user to begin the infection. Beyond simple data theft, the malware also attempted to deploy privileged pods across every node in a Kubernetes environment to broaden the scope of the breach.
The second version, 1.82.8, introduced an even more aggressive execution method by utilizing a Python metadata file known as a .pth file. Because the Python interpreter processes these files automatically upon startup, the malicious logic was executed every time any Python process began in the environment. This version also used subprocess commands to launch the payload as a detached background process, making it much harder for a user to notice that anything unusual was happening.
For long-term access, the malware installed a persistent system service that regularly checked an external domain for new instructions or additional malicious binaries. Although the developers and security teams have since removed the compromised versions from the official repository, the incident highlights the ongoing danger of supply chain attacks. Interestingly, the attackers even included a fake success message during the installation process to trick developers into believing the library was functioning normally.
Source: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/