Forcepoint Details TeamPCP Supply Chain Attack on LiteLLM AI Gateway

A new cybersecurity report released May 18 details a sophisticated supply chain attack by a threat group known as TeamPCP, which compromised a popular open-source artificial intelligence tool and turned it into a widespread credential harvester. The report from Forcepoint LLC’s X-Labs research team outlines how the group injected malicious code into LiteLLM, a widely used Python library that serves as a unified gateway to more than 100 large language model APIs, including those from OpenAI, Anthropic, and Google. The attack specifically targeted LiteLLM versions 1.82.7 and 1.82.8. The compromised packages contained a two-stage payload designed to steal a vast array of sensitive information from any system where the library was installed. This incident is part of a broader, cascading campaign by TeamPCP that previously hit other critical developer and security tools, including the Trivy vulnerability scanner and the KICS infrastructure-as-code security tool. According to security researchers, LiteLLM’s popularity made it a high-value target. The package, which simplifies how developers integrate various AI models into their applications, has been downloaded approximately 480 million times. The malicious code was engineered to systematically sweep compromised systems for credentials. The harvested data included cloud provider keys, Kubernetes service account tokens, VPN configurations, and secrets from developer tools like HashiCorp Vault and npm, according to analysis from Semgrep. Once collected, the stolen information was bundled into an encrypted archive file and exfiltrated to a command-and-control server operated by the attackers at `models.litellm.cloud`. The attackers used a hybrid encryption method, combining AES-256 and RSA-4096 keys, which makes it nearly impossible for victims to determine the exact scope of the data breach without the attacker's private key. Research from the Cloud Security Alliance highlights the attack's advanced persistence mechanism. TeamPCP used a Python `.pth` file, `litellm_init.pth`, installed in a core directory. This technique ensures the malicious code executes every time the Python interpreter starts, allowing the malware to survive even if the compromised LiteLLM package is uninstalled by standard package managers. For businesses running applications inside Kubernetes environments, the threat was even more severe. If the malware detected it was running within a Kubernetes pod, it would attempt to escalate its privileges to gain control over the entire cluster, moving from simple data theft to a full-scale infrastructure compromise. The LiteLLM compromise did not occur in isolation. It followed a pattern established by TeamPCP in March 2026, when the group first breached the software supply chain by poisoning GitHub Actions related to security vendors Aqua Security and Checkmarx. The group used credentials stolen in those initial attacks to then compromise other packages, including LiteLLM. TeamPCP openly taunted its targets on a Telegram channel, stating, “These companies were built to protect your supply chains yet they can't even protect their own.” Security analysts note that the campaign was meticulously planned. The group established its attack infrastructure in December 2025, months before the operational phase began in March, indicating a deliberate and methodical approach rather than an opportunistic strike. The attackers also demonstrated rapid iteration, refining their injection techniques across multiple package versions to improve stealth and effectiveness, as observed by StepSecurity in a related attack on the `xinference` package. Organizations that used the affected versions of LiteLLM, or the previously compromised versions of Trivy, KICS, or the Telnyx SDK, are advised to act immediately. The consensus recommendation is to treat all CI/CD secrets, cloud credentials, and LLM API keys as fully compromised and to rotate them without delay. Retrospective network log analysis for traffic to the malicious domain or the presence of the `litellm_init.pth` file can help identify affected systems. This attack underscores a fundamental shift in the cyber threat landscape, where attackers target the foundational tools developers and security teams trust. “The new perimeter isn't your firewall — it's your CI/CD pipeline,” Igor Lasic, SVP of Technology at ReversingLabs, noted in a post. “The attackers chose their target wisely. LiteLLM is the backbone of modern AI infrastructure, acting as a universal proxy for LLM APIs. Its popularity makes it an ideal ‘infection hub’.” In our experience, incidents like this are a stark reminder that software supply chain security is no longer a niche IT issue; it is a critical component of financial risk management. The potential for operational disruption, data breaches, and reputational damage from a single compromised open-source package is immense. We see many companies invest heavily in customer-facing technology but overlook the hidden dependencies in their development pipelines, creating significant, unmanaged risk. The fact that attackers are now successfully targeting the security tools meant to prevent these breaches shows that simply purchasing a solution is not a strategy. Businesses must develop resilient internal processes to vet, monitor, and respond to threats embedded deep within their technology stack. C&S Finance Group LLC helps clients quantify these operational risks and implement controls to protect their financial stability. Learn more about our approach at csfinancegroup.com. Looking ahead, security experts warn that TeamPCP is unlikely to stop with these attacks. Having successfully compromised packages on npm and PyPI, the group may target other popular package registries such as RubyGems, crates.io, and Maven Central. The incident serves as a critical warning for all businesses that rely on open-source software to re-evaluate their security posture and the implicit trust placed in third-party code.