[{"data":1,"prerenderedAt":228},["ShallowReactive",2],{"article-slug-team-pcp-cascading-supply-chain-attack-compromises-litellm":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":51,"sources":57,"events":73,"mitre_techniques":83,"mitre_mitigations":107,"d3fend_countermeasures":165,"iocs":166,"cyber_observables":171,"tags":196,"extract_datetime":203,"article_type":204,"impact_scope":205,"pub_date":216,"reading_time_minutes":217,"createdAt":203,"updatedAt":218,"updates":219},"d97424e5-1a38-4bdf-90b3-d834b5a50056","team-pcp-cascading-supply-chain-attack-compromises-litellm","TeamPCP's Supply Chain Attack Cascade Hits LiteLLM, Stealing AI Credentials","Multi-Stage Supply Chain Attack by TeamPCP Compromises Trivy, Checkmarx, and LiteLLM","The threat actor group 'TeamPCP' has executed a sophisticated, multi-stage supply chain attack, beginning with the compromise of the popular open-source vulnerability scanner Trivy. The attackers leveraged this access to poison downstream GitHub Actions, stealing credentials from CI/CD pipelines. They then pivoted to compromise other developer tools, including Checkmarx KICS, before publishing malicious versions of the widely-used LiteLLM AI gateway on PyPI. The trojanized LiteLLM packages were designed to steal sensitive AI API credentials, exfiltrating them to an attacker-controlled server. This cascading attack highlights the systemic risk in the open-source software supply chain, where a single point of failure can lead to widespread compromise across thousands of dependent projects.","## Executive Summary\nOn March 19, 2026, a threat actor group identified as **[TeamPCP](https://malpedia.caad.fkie.fraunhofer.de/actor/teampcp)** initiated a sophisticated, multi-stage supply chain attack by compromising the release infrastructure for Aqua Security's popular open-source vulnerability scanner, **[Trivy](https://github.com/aquasecurity/trivy)**. The attackers manipulated GitHub Actions tags to inject credential-stealing malware into CI/CD pipelines of dependent projects. The campaign escalated over several days, with the actors pivoting to compromise a **[Checkmarx KICS](https://checkmarx.com/product/kics-ast/)** GitHub Action and ultimately publishing trojanized versions of the **[LiteLLM](https://github.com/BerriAI/litellm)** AI gateway on the Python Package Index (PyPI). The malicious LiteLLM packages (`1.82.7` and `1.82.8`) were specifically engineered to exfiltrate AI API keys and other secrets to an attacker-controlled domain. This incident demonstrates a dangerous evolution in supply chain attacks, showcasing how compromising a single trusted tool can create a cascading effect that compromises a vast ecosystem of developer tools and AI infrastructure.\n\n---\n\n## Threat Overview\nThis attack represents a significant threat to the open-source software ecosystem. The initial point of entry was the compromise of the `aquasecurity/trivy-action` and `aquasecurity/setup-trivy` GitHub Actions. Instead of altering the code in the main branch, **TeamPCP** employed a stealthy technique by force-pushing existing version tags to point to malicious commits. This meant that any CI/CD pipeline referencing these version tags (e.g., `@v0.18.0`) would unknowingly pull and execute the attackers' malicious code. The malware was designed for broad-spectrum credential theft, targeting SSH keys, cloud provider tokens, and cryptocurrency wallets.\n\nFollowing the initial success, the attackers used the stolen credentials to expand their reach. On March 23, a similar compromise was found in a GitHub Action for Checkmarx KICS. The final and most impactful stage occurred on March 24, when malicious versions of **LiteLLM** were uploaded to PyPI. LiteLLM, which acts as a unified interface to over 100 Large Language Model (LLM) APIs, is a critical component in many AI applications. By compromising it, the attackers positioned themselves to harvest a massive number of API keys for services like **[OpenAI](https://openai.com/)**, **[Anthropic](https://www.anthropic.com/)**, and **[Google Gemini](https://deepmind.google/technologies/gemini/)**, giving them access to powerful and costly AI resources.\n\n---\n\n## Technical Analysis\nThe attack chain began with the exploitation of credentials from a previous, insufficiently remediated security incident, allowing the attackers to gain access to Trivy's release infrastructure. This aligns with the MITRE ATT&CK technique [`T1078 - Valid Accounts`](https://attack.mitre.org/techniques/T1078/).\n\nThe core of the attack involved manipulating CI/CD pipelines, a classic supply chain compromise technique.\n\n1.  **Compromise Software Development Tools:** The attackers gained control over the GitHub Actions repositories for Trivy. This corresponds to [`T1195.001 - Compromise Software Dependencies and Development Tools`](https://attack.mitre.org/techniques/T1195/001/).\n2.  **Malicious Tag Manipulation:** They force-pushed 76 of 77 version tags to point to malicious commits. This is a sub-technique of CI/CD compromise, abusing trust in versioning systems.\n3.  **Execution via CI/CD Pipeline:** Downstream projects using the compromised actions automatically executed the malicious code during their build processes. This represents [`T1059.006 - Python`](https://attack.mitre.org/techniques/T1059/006/) and [`T1059.004 - Unix Shell`](https://attack.mitre.org/techniques/T1059/004/) for script execution within the build environment.\n4.  **Credential Theft:** The injected malware was designed to steal secrets, including SSH keys ([`T1555.004 - SSH-Agent Hijacking`](https://attack.mitre.org/techniques/T1555/004/)), cloud tokens, and other credentials from the build environment.\n5.  **Lateral Movement & Pivot:** Using stolen credentials, the attackers compromised the Checkmarx KICS action and then targeted the LiteLLM project.\n6.  **Trojanized Package Publication:** The final payload was delivered by publishing malicious versions (`1.82.7`, `1.82.8`) of the `litellm` package to PyPI. The malicious code was embedded in `proxy_server.py`.\n7.  **Exfiltration:** The stolen AI API keys were exfiltrated to the attacker-controlled C2 server at `models.litellm[.]cloud` via [`T1041 - Exfiltration Over C2 Channel`](https://attack.mitre.org/techniques/T1041/).\n\n> This attack's stealth was enhanced by manipulating tags rather than code, a method that bypasses many standard code review and integrity checks. It underscores the importance of verifying the commit hash associated with a tag, not just the tag itself.\n\n---\n\n## Impact Assessment\nThe business impact of this attack is severe and widespread. Any organization using the compromised versions of the Trivy or Checkmarx GitHub Actions may have had sensitive credentials and secrets exfiltrated from their build environments. This could lead to further network compromise, data breaches, and financial loss.\n\nThe compromise of **LiteLLM** is particularly damaging. Organizations using the malicious versions are at risk of having their AI API keys stolen. This could result in significant financial costs from unauthorized use of expensive LLM services, theft of proprietary data sent to or from these models, and potential abuse of the models for malicious purposes like generating disinformation or malware.\n\nThe attack erodes trust in the open-source ecosystem and highlights the fragility of software supply chains. The reputational damage to the compromised projects is significant, and the incident forces thousands of downstream developers to perform urgent security audits, patch systems, and rotate credentials, leading to widespread productivity loss.\n\n---\n\n## IOCs\n| Type | Value | Description |\n|---|---|---|\n| domain | `models.litellm[.]cloud` | Attacker-controlled C2 server for data exfiltration. |\n\n---\n\n## Cyber Observables for Detection\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| url_pattern | `/v1/` | The malicious LiteLLM code intercepted requests to the `/v1/` endpoint. | Web server logs on proxy servers using LiteLLM. | high |\n| file_name | `proxy_server.py` | The file containing the malicious code in the compromised LiteLLM package. | File integrity monitoring on systems with LiteLLM installed. | high |\n| command_line_pattern | `git show-ref --verify refs/tags/` | Command to verify the commit hash of a Git tag. | CI/CD build logs, developer terminal history. | medium |\n| network_traffic_pattern | `DNS queries to models.litellm.cloud` | Outbound DNS requests to the known malicious domain. | DNS logs, network security monitoring tools. | high |\n| log_source | `GitHub Audit Logs` | Look for `git.force_push` events on critical repositories. | GitHub Enterprise or organization audit logs. | high |\n| file_path | `~/.ssh/id_rsa` | A common target for credential theft malware in build environments. | File access monitoring on build agents. | medium |\n\n---\n\n## Detection & Response\n**Detection:**\n1.  **CI/CD Pipeline Monitoring:** Implement robust monitoring of CI/CD build logs. Look for anomalous network connections, unexpected file modifications, or execution of suspicious commands. Use tools to pin dependencies to specific commit hashes, not just version tags. D3FEND's [`File Analysis`](https://d3fend.mitre.org/technique/d3f:FileAnalysis) can be applied to build artifacts.\n2.  **Network Traffic Analysis:** Monitor outbound traffic from build servers and production environments for connections to suspicious domains like `models.litellm[.]cloud`. Use D3FEND's [`Outbound Traffic Filtering`](https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering) and [`Network Traffic Analysis`](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis).\n3.  **Dependency Scanning:** Immediately scan all projects for the malicious LiteLLM versions (`1.82.7`, `1.82.8`). Use `pip list` or other dependency analysis tools to identify affected systems.\n4.  **GitHub Audit Logs:** Security teams should retroactively review GitHub audit logs for `git.force_push` events, especially on repositories that publish release artifacts or GitHub Actions.\n\n**Response:**\n1.  **Isolate and Analyze:** Immediately isolate any build agent or server found to be running the malicious code.\n2.  **Credential Rotation:** Assume all secrets, keys, and tokens in the affected build environments have been compromised. Initiate a full rotation of all SSH keys, cloud API keys, and other credentials.\n3.  **Remove Malicious Packages:** Uninstall the malicious LiteLLM versions and upgrade to a known-good version (e.g., `1.82.9` or later) after verifying its integrity.\n4.  **Review Downstream Impact:** Audit all projects that depended on the compromised Trivy and Checkmarx actions to assess the full blast radius.\n\n---\n\n## Mitigation\n**Strategic Mitigation:**\n1.  **Dependency Pinning:** Mandate that all CI/CD pipelines and software projects pin dependencies to specific, verified commit hashes or use checksum validation (e.g., `requirements.txt` with `--hash`). This is a form of D3FEND's [`Application Configuration Hardening`](https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening).\n2.  **Least Privilege for Build Agents:** Configure CI/CD runners and build agents with minimal permissions. They should not have persistent access to production secrets. Use short-lived, dynamically generated credentials where possible.\n3.  **Signed Commits and Tags:** Enforce policies requiring that all commits and tags to critical repositories are cryptographically signed. This makes unauthorized modifications more difficult to conceal.\n4.  **Supply Chain Security Platforms:** Implement tools like Sigstore for signing and verifying software artifacts, and platforms like NetRise Provenance to vet contributor reputation and project health.\n\n**Tactical Mitigation:**\n1.  **Upgrade Immediately:** Users of LiteLLM should upgrade to a safe version immediately. Users of the Trivy and Checkmarx GitHub Actions should review their usage and ensure they are pulling from verified, non-compromised versions.\n2.  **Network Egress Filtering:** Restrict outbound network access from build environments to only a small list of known, required domains. This can prevent or detect exfiltration attempts.\n3.  **Protected Branches:** Configure GitHub repository settings to protect release tags and branches, requiring multiple approvers for any changes and preventing force pushes.","🚨 BREAKING: A cascading supply chain attack by 'TeamPCP' has compromised Trivy, Checkmarx, and the popular AI gateway LiteLLM. Malicious versions were published to PyPI to steal AI API credentials. ⚠️ #SupplyChain #PyPI #LiteLLM #CyberAttack","Detailed analysis of the multi-stage supply chain attack by TeamPCP that compromised Trivy, Checkmarx, and LiteLLM, leading to the theft of AI API credentials via malicious PyPI packages.",[13,14,15],"Supply Chain Attack","Malware","Threat Actor","critical",[18,22,26,29,32,35,37,40,44,47],{"name":19,"type":20,"url":21},"TeamPCP","threat_actor","https://malpedia.caad.fkie.fraunhofer.de/actor/teampcp",{"name":23,"type":24,"url":25},"Trivy","product","https://github.com/aquasecurity/trivy",{"name":27,"type":24,"url":28},"LiteLLM","https://github.com/BerriAI/litellm",{"name":30,"type":24,"url":31},"Checkmarx KICS","https://checkmarx.com/product/kics-ast/",{"name":33,"type":34},"Aqua Security","vendor",{"name":36,"type":34},"Checkmarx",{"name":38,"type":39},"PyPI","technology",{"name":41,"type":42,"url":43},"GitHub","company","https://github.com/",{"name":45,"type":34,"url":46},"Microsoft","https://www.microsoft.com/security",{"name":48,"type":49,"url":50},"Kaspersky","security_organization","https://www.kaspersky.com",[52],{"id":53,"cvss_score":54,"cvss_version":55,"kev":56,"severity":16},"CVE-2026-33634",9.4,"4.0",false,[58,63,68],{"url":59,"title":60,"date":61,"friendly_name":48,"website":62},"https://www.kaspersky.com/blog/team-pcp-supply-chain-attack/51531/","Trojanization of Trivy, Checkmarx, and LiteLLM solutions","2026-03-25","kaspersky.com",{"url":64,"title":65,"date":61,"friendly_name":66,"website":67},"https://www.microsoft.com/en-us/security/blog/2026/03/25/guidance-for-detecting-investigating-and-defending-against-the-trivy-supply-chain-compromise/","Guidance for detecting, investigating, and defending against the Trivy supply chain compromise","Microsoft Security","microsoft.com",{"url":69,"title":70,"date":61,"friendly_name":71,"website":72},"https://www.activestate.com/blog/open-source-is-under-attack-how-to-manage-the-risk/","Open Source Is Under Attack. Here's How to Manage the Risk Without Abandoning the Benefit.","ActiveState","activestate.com",[74,77,80],{"datetime":75,"summary":76},"2026-03-19T00:00:00Z","TeamPCP compromises Aqua Security's Trivy release infrastructure and begins manipulating GitHub Action tags.",{"datetime":78,"summary":79},"2026-03-23T00:00:00Z","A similar compromise is discovered in a GitHub Action for Checkmarx KICS.",{"datetime":81,"summary":82},"2026-03-24T00:00:00Z","TeamPCP publishes malicious versions 1.82.7 and 1.82.8 of the LiteLLM package to PyPI.",[84,88,92,96,100,104],{"id":85,"name":86,"tactic":87},"T1195.001","Compromise Software Dependencies and Development Tools","Initial Access",{"id":89,"name":90,"tactic":91},"T1078","Valid Accounts","Defense Evasion",{"id":93,"name":94,"tactic":95},"T1059.006","Python","Execution",{"id":97,"name":98,"tactic":99},"T1555","Credentials from Password Stores","Credential Access",{"id":101,"name":102,"tactic":103},"T1041","Exfiltration Over C2 Channel","Exfiltration",{"id":105,"name":106,"tactic":87},"T1199","Trust-Relationship Abuse",[108,126,143,152],{"id":109,"name":110,"d3fend_techniques":111,"description":124,"domain":125},"M1045","Code Signing",[112,116,120],{"id":113,"name":114,"url":115},"D3-DLIC","Driver Load Integrity Checking","https://d3fend.mitre.org/technique/d3f:DriverLoadIntegrityChecking",{"id":117,"name":118,"url":119},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting",{"id":121,"name":122,"url":123},"D3-SBV","Service Binary Verification","https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification","Enforce cryptographic signing of all commits, tags, and release artifacts. This allows downstream users to verify the integrity and authenticity of the code they are consuming, making it harder for attackers to inject malicious code undetected.","enterprise",{"id":127,"name":128,"d3fend_techniques":129,"description":142,"domain":125},"M1047","Audit",[130,134,138],{"id":131,"name":132,"url":133},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring",{"id":135,"name":136,"url":137},"D3-LAM","Local Account Monitoring","https://d3fend.mitre.org/technique/d3f:LocalAccountMonitoring",{"id":139,"name":140,"url":141},"D3-SFA","System File Analysis","https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis","Regularly audit CI/CD pipeline logs, repository access logs, and especially GitHub audit logs for suspicious activities like force pushes to protected branches or tags.",{"id":144,"name":145,"d3fend_techniques":146,"description":151,"domain":125},"M1037","Filter Network Traffic",[147],{"id":148,"name":149,"url":150},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Implement strict egress filtering on build agents to block outbound connections to any destination not on an explicit allowlist. This could have prevented the exfiltration of stolen credentials to the attacker's C2 server.",{"id":153,"name":154,"d3fend_techniques":155,"description":164,"domain":125},"M1054","Software Configuration",[156,160],{"id":157,"name":158,"url":159},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening",{"id":161,"name":162,"url":163},"D3-CP","Certificate Pinning","https://d3fend.mitre.org/technique/d3f:CertificatePinning","Configure dependency management tools to pin dependencies to specific, verified hashes rather than mutable tags. This ensures that builds are reproducible and not susceptible to tag manipulation.",[],[167],{"type":168,"value":169,"description":170},"domain","models.litellm[.]cloud","Attacker-controlled C2 server for data exfiltration.",[172,178,183,188,194],{"type":173,"value":174,"description":175,"context":176,"confidence":177},"log_source","GitHub Audit Log","Monitor for `git.force_push` events on repositories publishing release artifacts or GitHub Actions. This was the core technique used to compromise Trivy.","GitHub Enterprise or organization audit logs","high",{"type":179,"value":180,"description":181,"context":182,"confidence":177},"file_name","proxy_server.py","The file within the malicious LiteLLM package (`v1.82.7`, `v1.82.8`) that contained the credential-stealing code.","File integrity monitoring on servers running LiteLLM; dependency scanning results.",{"type":184,"value":185,"description":186,"context":187,"confidence":177},"network_traffic_pattern","Outbound connections to models.litellm.cloud","The trojanized LiteLLM versions exfiltrated stolen credentials to this attacker-controlled domain.","DNS logs, firewall logs, web proxy logs, NetFlow data from build agents and application servers.",{"type":189,"value":190,"description":191,"context":192,"confidence":193},"command_line_pattern","pip install litellm==1.82.7","Command used to install one of the known malicious versions of the LiteLLM package.","Shell history, CI/CD build scripts, deployment logs.","medium",{"type":189,"value":195,"description":191,"context":192,"confidence":193},"pip install litellm==1.82.8",[197,38,198,199,200,201,202],"supply chain","GitHub Actions","CI/CD","credential theft","open source","AI security","2026-03-26T15:00:00.000Z","Advisory",{"geographic_scope":206,"industries_affected":207,"other_affected":212},"global",[208,209,210,211],"Technology","Manufacturing","Finance","Healthcare",[213,214,215],"open-source software users","AI application developers","cloud service customers","2026-03-26",6,"2026-04-02T00:00:00Z",[220],{"update_id":221,"update_date":218,"datetime":218,"title":222,"summary":223,"sources":224},"update-1","Update 1","AI firm Mercor confirmed as victim of the LiteLLM supply chain attack, with Lapsus$ claiming 4TB data theft and extortion. This escalates the incident's real-world impact.",[225],{"title":226,"url":227},"Mercor Hit by LiteLLM Supply Chain Attack","https://www.securityweek.com/mercor-hit-by-litellm-supply-chain-attack/",1775141545844]