Post by SolventAi CyberSecurity

#LiteLLM just got hit by a supply chain attack. Here's the full attack flow. Versions 1.82.7 and 1.82.8 on PyPI were compromised by TeamPCP, the same group behind the Trivy breach. This is a cascading supply chain compromise, and it's worth understanding how it works. The 7-step attack flow: 1. TeamPCP used a PyPI API token exposed during the Trivy breach to gain publishing access 2. Pushed trojanized versions with a malicious .pth file injected via pyproject.toml (double base64-encoded) 3. Developer runs pip install litellm - pulls compromised package 4. Python processes .pth files at startup - payload executes on EVERY Python invocation, no import needed 5. Malware harvests SSH keys, AWS/GCP/Azure creds, .env files, kube configs, crypto wallets, CI/CD secrets 6. Credentials encrypted with AES-256 + RSA, exfiltrated to checkmarx[.]zone and models.litellm[.]cloud 7. Stolen tokens used to compromise MORE packages - recursive loop This is the pattern: Trivy -> Aqua Docker images -> Checkmarx KICS -> LiteLLM. Each breach feeds the next. 36% of cloud environments have LiteLLM installed. That's the blast radius. Immediate actions if you're affected: - Check: pip show litellm (look for 1.82.7 or 1.82.8) - Pin to <= 1.82.6 or a verified later release - Rotate ALL credentials on affected systems - Check for persistence at ~/.config/sysmon/ and node-setup-* pods in kube-system The real lesson: a single unrotated token from the Trivy breach cascaded into compromising one of the most widely-used AI infrastructure packages. Credential rotation isn't optional. Full attack flow diagram below. #SupplyChainSecurity #Cybersecurity #LiteLLM #TeamPCP #PyPI #AppSec #DevSecOps #ThreatIntelligence Claude