A rapidly spreading thread on Lobsters and HN right now concerns something that happened as recently as yesterday: LiteLLM, one of the most widely used Python libraries for interacting with LLM APIs, was used as an attack vector in a classic supply chain attack. FutureSearch has published a detailed analysis on its blog, and the community reaction is strong — this caught many by surprise.

How did it happen? The threat actor operating under the name "TeamPCP" obtained LiteLLM's PyPI publishing credentials by exploiting a vulnerable version of Trivy — a security scanner tool running in LiteLLM's own build pipelines. In other words: the tool meant to protect became the weapon. It's bitter irony.

The two malicious versions were openly available on PyPI for about three hours before the package registry quarantined them. That sounds short, but in an active developer environment, three hours is more than enough to cause damage.

Version 1.82.8 was particularly nasty: it installed a .pth file that automatically executed the malware upon any Python invocation — even if you never directly imported litellm.

The malware was designed to sweep the host for secrets: AWS and GCP credentials, GitHub tokens, SSH keys, kubeconfig files, Docker credentials, crypto wallets (Bitcoin, Ethereum, Litecoin), and shell history files. Additionally, it attempted lateral movement in Kubernetes clusters and installed a persistent systemd backdoor. This is not amateur work.

The attack is already linked to previous compromises of Trivy and Checkmarx KICS based on overlapping infrastructure and methodology — the same tpcp.tar.gz filename and RSA keys reappear.

What should you do now?

Check which version you are running: pip show litellm | grep Version. If you have 1.82.7 or 1.82.8, it's crisis mode: rotate absolutely all credentials that were available on that host. Pin to <=1.82.6 in all environments. Check network logs for traffic to models.litellm.cloud and checkmarx.zone — these are C2 domains used in the attack.

This is an early signal from community sources, and the full extent of the damage is not yet known. But the fact that it happened at all is a powerful warning: CI/CD pipelines are an attractive target, and unpinned security tools in the build process are an attack surface few consider.

Keep an eye on this — mainstream security media will likely pick it up during the day.