https://www.endorlabs.com/learn/teampcp-isnt-done
A hacker group known as TeamPCP has been caught planting malicious code inside litellm, a popular AI software library downloaded roughly 95 million times per month. Two versions of the package – 1.82.7 and 1.82.8 – were found to contain hidden code designed to steal credentials and establish persistent access on infected systems, and both have since been removed from the PyPI software registry. Any organisation running these versions should treat their environment as fully compromised and immediately rotate all passwords, cloud access keys, and security tokens.
Once installed, the malicious code silently harvests a sweeping range of sensitive data. This includes cloud credentials from AWS, Google Cloud, and Azure; SSH keys; database passwords; cryptocurrency wallets; and environment files commonly used to store application secrets. In environments running Kubernetes — a widely used cloud infrastructure platform — the malware also attempts to spread itself across every server in the cluster and install a persistent backdoor that phones home for further instructions.
This attack is part of a broader, ongoing campaign that has been escalating for nearly a month. TeamPCP has now compromised five different software ecosystems, consistently targeting security and infrastructure tools that run with elevated privileges – making them especially valuable entry points into an organisation’s broader environment. Security researchers warn that more attacks are likely, and that any team using litellm versions 1.82.7 or 1.82.8 – or security tools like Aqua Trivy or Checkmarx KICS during March – should conduct an urgent security review.