LiteLLM PyPI credential-stealing malware compromise
Malware Activity
Summary
Hide ▲
Show ▼
The LiteLLM package on PyPI was compromised with credential-stealing malware, putting downstream environments at risk of secret theft and persistence. Malicious releases 1.82.7 and 1.82.8 were uploaded on March 24, 2026 and could run automatically in affected Python environments. The payload harvested cloud and system credentials, moved laterally across Kubernetes clusters, and installed persistent backdoors. Researchers linked the activity to TeamPCP and noted the package has more than 95 million monthly downloads.
Related Happenings
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignAbout this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor Meta
H score60
First: 19.05.2026 07:54
Last: 19.05.2026 07:54
Sources 1
About this happening:
**TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor MetaAbout this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Timeline
-
25.03.2026 14:00 1 articles · 3mo ago
LiteLLM 1.82.7 and 1.82.8 uploaded with credential-stealing malware
Untyped PhaseLiteLLM versions 1.82.7 and 1.82.8 were uploaded to PyPI with hidden malware that harvested credentials, moved laterally across Kubernetes environments, and installed persistent backdoors. Version 1.82.6 was identified as the last clean release after the malicious versions were removed.
Show sources
- TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise — www.infosecurity-magazine.com — 25.03.2026 14:00
-
25.03.2026 14:00 2 articles · 3mo ago
LiteLLM compromise disclosed with TeamPCP attribution and cleanup guidance
Initial DisclosureSecurity researchers from Endor Labs and Jfrog described a compromised LiteLLM package on PyPI that could execute automatically when certain package components were imported, while the later malicious version could trigger whenever any Python process started in an affected environment. They linked the compromise to TeamPCP, said the stolen data was encrypted before transmission to attacker-controlled infrastructure, and warned affected organizations to rotate secrets and review systems for compromise.
Show sources
- TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise — www.infosecurity-magazine.com — 25.03.2026 14:00
- How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers — thehackernews.com — 06.04.2026 14:45