TeamPCP, the threat actor behind recent high-profile compromises of Trivy and KICS, has now turned its sights on the Python package litellm. This move is part of a broader, relentless supply chain attack campaign that has already compromised five ecosystems, including GitHub Actions, Docker Hub, npm, Open VSX, and PyPI. The actor is leveraging the use of Trivy in the package's CI/CD workflow to inject malicious code, resulting in the release of two backdoored versions of litellm (1.82.7 and 1.82.8) on March 24, 2026. These versions contain a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor, showcasing a sophisticated and multi-stage attack.
What makes this incident particularly intriguing is the actor's deliberate escalation from CI/CD environments to production systems. By targeting PyPI packages running in Kubernetes clusters, TeamPCP is not only expanding its footprint but also leveraging the trust placed in open-source software. The actor's Telegram channel posts reveal a sense of confidence and a willingness to continue the campaign, indicating a well-organized and persistent threat actor. The use of Python .pth files and subprocess.Popen in the latest iteration adds a layer of complexity, making the payload more difficult to detect and mitigate.
The impact of this compromise extends beyond the immediate affected systems. The harvested credentials can unlock further targets, creating a snowball effect that threatens a wide range of environments. This highlights the interconnected nature of the software supply chain and the potential for rapid lateral movement within compromised networks. The open-source community, which has been a cornerstone of modern software development, is now facing a critical challenge in maintaining its security and integrity.
In my opinion, this incident serves as a stark reminder of the importance of supply chain security and the need for a more proactive approach to threat detection and response. The use of tools like Trivy and KICS, which are designed to enhance security, has been subverted by the actor, underscoring the need for continuous vigilance and the integration of security measures at every stage of the software development lifecycle. As the open-source community continues to evolve, it must also adapt to new threats and develop robust strategies to safeguard its ecosystems.
Looking ahead, the impact of this compromise could be far-reaching, with the potential for further exploitation of credentials and the expansion of the actor's reach. The open-source community must remain vigilant and take proactive steps to enhance its security posture, while also working closely with security researchers and vendors to identify and mitigate emerging threats. The future of open-source software depends on the collective efforts of developers, researchers, and security professionals to build a more secure and resilient ecosystem.
