95 Million Downloads Hijacked: The LiteLLM PyPI Backdoor Targeting AI Developers

A relentless cyber-espionage campaign has expanded its reach into the heart of the AI development ecosystem. Security researchers at Endor Labs have identified that LiteLLM, a popular library with over 95 million monthly downloads, was compromised on the Python Package Index (PyPI) to deliver a multi-stage backdoor.

The incident is part of a month-long spree by a threat actor known as TeamPCP, who has now successfully crossed five different software ecosystems: GitHub Actions, Docker Hub, npm, OpenVSX, and now PyPI.

The compromise specifically targeted litellm versions 1.82.7 and 1.82.8. Unlike the clean code found in the project’s official GitHub repository, these PyPI versions included a “backdoored file that decodes and executes a hidden payload the moment the file is imported”.

Version 1.82.8 introduced an even more aggressive persistence mechanism. It installed a .pth file within the Python site-packages directory, which “runs the payload on any Python invocation, even if litellm is never imported”.

Once the malicious payload is triggered, it initiates a high-speed attack designed for data theft and lateral movement:

• Credential Harvesting: The malware immediately hunts for high-value targets, including SSH keys, cloud tokens (AWS/GCP/Azure), Kubernetes secrets, and crypto wallets.
• Kubernetes Infiltration: In containerized environments, the malware attempts to move laterally across clusters. It does this by “deploying privileged pods to every node,” effectively turning the cluster against itself.
• Persistent Backdoor: To ensure long-term access, the attacker installs a systemd backdoor named sysmon.service that regularly polls for further instructions or additional malicious binaries.

What makes TeamPCP particularly dangerous is their choice of targets. The group has recently focused on “security-adjacent tools,” including Aqua Security’s Trivy and Checkmarx’s KICS. By compromising the tools developers use to secure their code, the attackers gain a trusted path into thousands of corporate environments.

The exfiltrated data is encrypted and sent to attacker-controlled infrastructure, often utilizing domains like models.litellm.cloud and checkmarx.zone to blend in with legitimate traffic.

Developers and DevOps engineers are urged to verify their environments immediately. Version 1.82.6 is the last known-clean release of LiteLLM.

To verify your installation:

• Check your version using pip freeze | grep litellm.
• For version 1.82.8, look for a file named litellm_init.pth in your site-packages folder.
• Search for persistence artifacts such as ~/.config/sysmon/sysmon.py or a running sysmon.service.

If any indicators of compromise are found, researchers warn to “treat the environment as fully compromised and rotate all credentials that were accessible on the host”, including API keys, database passwords, and Kubernetes secrets.