Forcepoint — TeamPCP Turns LiteLLM into a Credential Stealer

AI relevance: LiteLLM is a unified AI API gateway connecting 100+ LLM providers — a single compromised installation gives attackers simultaneous access to OpenAI, Anthropic, Azure, AWS, and GCP credentials across an entire AI stack.

Forcepoint X-Labs published a detailed report on a TeamPCP supply chain attack that poisoned the LiteLLM Python package (versions 1.82.7 and 1.82.8) by compromising its CI pipeline through a backdoored Trivy vulnerability scanner.

Key details

• CI pipeline poisoning: TeamPCP spoofed legitimate Trivy maintainer identities, pushed impersonated commits, and triggered the project's automated release pipeline to distribute backdoored Trivy binaries via GitHub Releases, Docker Hub, and Amazon ECR.
• Memory-scraping credential theft: When LiteLLM's CI/CD job pulled the compromised Trivy build, the malicious binary scraped the runner's memory and exfiltrated a PYPI_PUBLISH token, enabling the attackers to publish their own malicious LiteLLM releases directly to PyPI.
• Two injection techniques: Version 1.82.7 embedded a Base64-encoded payload in proxy_server.py that executed at proxy startup. Version 1.82.8 dropped a litelllm_init.pth file into site-packages, running the payload at every Python interpreter startup — even without explicitly importing LiteLLM.
• Broad credential harvesting: The payload scanned environment variables and config files for OpenAI, Anthropic, and Azure API keys, plus AWS, Google Cloud, and Azure SDK credentials. It also pulled kubeconfig files and AWS credential files from user home directories.
• AES-256 exfiltration: Collected data was encrypted with AES-256-CBC (PBKDF2-derived session key), packed into tpcp.tar.gz, and sent via curl to models.litellm.cloud — a convincing lookalike of the legitimate LiteLLM domain.
• Persistent backdoor: A polling backdoor called Sysmon.py checked checkmarx.zone every 50 minutes for signed instructions, downloading and executing returned binaries as background processes.

Why it matters

LiteLLM sits at the credential center of gravity for most enterprise AI deployments. Compromising a single library hands attackers a master key to every connected LLM provider and cloud platform. With over 33,000 internet-facing LiteLLM instances observed at the time of discovery (per Hunt.io), the blast radius is enormous. This is also the first documented case of weaponizing security infrastructure (Trivy) to reach downstream AI tooling through CI compromise.

What to do

• Audit all Python environments for LiteLLM versions 1.82.7 and 1.82.8; remove immediately if found.
• Check for litelllm_init.pth in site-packages and Sysmon.py backdoors on any potentially affected hosts.
• Rotate all API keys for OpenAI, Anthropic, Azure, AWS, and GCP that were accessible from machines that may have installed tainted LiteLLM versions.
• Block models.litellm.cloud and checkmarx.zone at DNS/proxy level.
• Pull CI/CD pipeline logs for any anomalous PyPI publish events or unexpected Trivy binary downloads.

Sources:

• SiliconANGLE — Forcepoint details TeamPCP LiteLLM credential stealer
• Datadog Security Labs — LiteLLM compromised on PyPI (March 2026)
• TechZine — TeamPCP CVE-2026-33634 (CVSS 9.4)