LiteLLM Backdoor Exposed: How TeamPCP Hijacked a 95 Million-Download PyPI Package to Steal AI Infrastructure Credentials + Video

Listen to this Post

Featured Image

Introduction:

The Python Package Index (PyPI) is the lifeblood of modern development, but a sophisticated supply chain attack has turned one of its most popular libraries into a silent threat. The LiteLLM package, responsible for routing requests across major LLM providers like OpenAI, Anthropic, and Azure, was compromised in versions 1.82.7 and 1.82.8, with a backdoor injected directly into the PyPI distribution while the GitHub repository remained untouched. This breach, attributed to the threat actor TeamPCP, highlights a terrifying reality: attackers are now targeting the AI infrastructure layer, intercepting every API call and prompt sent through the proxy.

Learning Objectives:

  • Identify compromised PyPI packages by verifying hashes and inspecting CI/CD pipelines.
  • Audit CI/CD workflows for hidden supply chain risks, including poisoned security tools.
  • Implement defense-in-depth measures for AI API gateways and credential management.
  • Detect and remove the LiteLLM backdoor using system forensics and network monitoring.
  • Harden PyPI publishing workflows to prevent token exfiltration.
  1. Detecting the Compromised LiteLLM Package in Your Environment

The first step is to determine if your infrastructure has been exposed. The compromised versions are 1.82.7 and 1.82.8. Because the backdoor was only present in the PyPI tarball and not in the source repository, a simple `pip list` may not be enough—you need to inspect the installed code.

Step‑by‑step guide:

1. Check installed version:

pip show litellm | grep Version

If the version is 1.82.7 or 1.82.8, the package is malicious.

2. Locate the installation directory:

python -c "import litellm; print(litellm.<strong>file</strong>)"

This returns the path to the `__init__.py` file.

3. Inspect for malicious modifications:

Look for suspicious code such as base64‑encoded strings, hidden imports, or outbound network connections. A quick grep for common indicators:

grep -r "exec|eval|base64|requests.post" /path/to/litellm/

The backdoor was known to exfiltrate API keys and tokens to a remote C2 server.

4. For Windows environments, use PowerShell:

pip show litellm
(Get-Content (python -c "import litellm; print(litellm.<strong>file</strong>)")) | Select-String -Pattern "exec|eval|base64"

If the compromised version is found, immediately revoke all API keys, tokens, and credentials that passed through the proxy.

2. Auditing CI/CD Pipelines for Compromised Security Tools

The attack succeeded because TeamPCP first compromised Trivy—a security scanner used in LiteLLM’s CI pipeline—five days earlier. A poisoned version of Trivy ran during the build, exfiltrating the PyPI publish token. This demonstrates how trusted security tools can become attack vectors.

Step‑by‑step guide to audit CI/CD:

  1. Review your CI workflow files (e.g., .github/workflows/.yml, .gitlab-ci.yml) for any third‑party tools that are downloaded dynamically.
    Example: a step that fetches a specific binary without hash verification:

    </li>
    </ol>
    
    - name: Install Trivy
    run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
    

    This pattern is dangerous because the install script or the binary could be replaced.

    2. Pin tool versions and verify checksums:

    - name: Install Trivy
    run: |
    curl -LO https://github.com/aquasecurity/trivy/releases/download/v0.60.0/trivy_0.60.0_Linux-64bit.tar.gz
    echo "expected_sha256 trivy_0.60.0_Linux-64bit.tar.gz" | sha256sum -c
    tar xzf trivy_0.60.0_Linux-64bit.tar.gz
    sudo mv trivy /usr/local/bin/
    
    1. Monitor CI runner logs for unexpected outbound connections or data exfiltration. Use network logging to capture any traffic originating from build environments.
      Example of monitoring with `tcpdump` on a self‑hosted runner:

      sudo tcpdump -i any -w ci_traffic.pcap
      

    2. Rotate secrets immediately after any suspicious CI activity. The LiteLLM token was stolen during the build; similar patterns can be detected by correlating secret usage times with outbound connections.

    3. Analyzing the Backdoor: Command & Control and Data Exfiltration

    The injected backdoor was designed to intercept all requests routed through LiteLLM—including prompts, API responses, and authentication tokens—and forward them to a C2 server. Understanding its behavior is critical for threat hunting.

    Step‑by‑step analysis using Python and network tools:

    1. Extract the malicious code from the compromised package (if available in a sandbox).
      unzip litellm-1.82.8-py3-none-any.whl -d litellm_extracted
      

    2. Look for network calls in the source:

    grep -r "requests.post|urllib.request|socket." litellm_extracted/
    
    1. Simulate the backdoor in an isolated environment to observe its behavior. Use `strace` or `ltrace` to trace system calls:
      strace -f -e trace=network python -c "import litellm; litellm.completion(...)"
      

      On Windows, use `Process Monitor` (ProcMon) to filter on network events.

    2. Analyze traffic with Wireshark or `tcpdump` to identify the C2 destination. The attacker used a domain that was likely generated or pre‑configured.

      tcpdump -i any -w exfil.pcap
      

    Later, filter for outbound connections:

    tshark -r exfil.pcap -Y "ip.dst != 192.168.0.0/16 && tcp.port == 443"
    
    1. If you suspect infection, block the C2 IPs/domains at the network perimeter and revoke any credentials that passed through the proxy.

    4. Hardening PyPI Publishing Workflows

    The compromise of the publish token highlights the need for securing package distribution. Developers and organizations that publish to PyPI must adopt stricter controls.

    Step‑by‑step guide:

    1. Use PyPI’s Trusted Publishers (OIDC) instead of long‑lived tokens. This eliminates token storage entirely.

    For GitHub Actions, configure:

    - name: Publish to PyPI
    uses: pypa/gh-action-pypi-publish@release/v1
    with:
    password: ${{ secrets.PYPI_TOKEN }}
    

    With trusted publishers, you replace the token with a short‑lived OIDC exchange.

    2. Require two‑factor authentication for all PyPI maintainers.

    1. Never expose PyPI tokens in CI logs or environment variables. Use secrets management features (GitHub Secrets, GitLab CI Variables).

    2. Implement a CI‑only build process where the source repository is built in a clean environment, and only the resulting artifact is signed and uploaded. Avoid allowing arbitrary code execution in the packaging step.

    5. Mitigating the Impact on AI Infrastructure

    The backdoor gave the attacker visibility into every AI API call made through LiteLLM. Organizations using the library must assume all data handled during the affected period is compromised.

    Step‑by‑step mitigation:

    1. Rotate all API keys for OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, and any other LLM providers that were routed through LiteLLM.

    2. Check for unauthorized usage in provider dashboards. Look for anomalous spikes, geographic mismatches, or prompts that were not generated by your team.

    3. Audit prompts and responses that may have contained sensitive data. This is especially critical if the proxy was used in production with customer data.

    4. Implement network segmentation for AI API gateways. Use egress filtering to ensure that only authorized domains (e.g., api.openai.com) can be reached, and monitor for unexpected outbound connections.

    5. Consider a temporary migration to direct API calls while verifying the integrity of a clean LiteLLM version (1.82.9 or later) from a trusted source.

    6. Future‑Proofing Against Supply Chain Attacks

    This incident underscores that attackers are targeting the tools we trust to secure us. Adopting a zero‑trust mindset for open‑source dependencies is essential.

    Step‑by‑step hardening:

    1. Use software bills of materials (SBOMs) to track every component. Tools like `syft` or `trivy sbom` can generate SBOMs that help you quickly identify compromised packages.

    2. Mirror PyPI packages to an internal repository (e.g., Artifactory, Nexus) and scan them for vulnerabilities before allowing installation.

    Example with `pip` using a local index:

    pip install --index-url https://your-internal-pypi/simple litellm==1.82.9
    
    1. Enforce signed commits and provenance with tools like slsa-verifier. This ensures that the package you download matches the expected source.

    2. Run CI pipelines in ephemeral, isolated environments and treat every third‑party tool as untrusted. Use containerized runners with network policies that block egress to the internet except for necessary endpoints.

    What Undercode Say:

    • AI infrastructure is a prime target. Attackers are moving beyond traditional software libraries to compromise the very layer that handles sensitive AI prompts and API keys.
    • Trusted security tools can be weaponized. The use of a poisoned Trivy scanner in the CI pipeline turned a security audit step into the primary attack vector—a chilling reminder to verify every dependency.
    • Supply chain attacks are becoming more surgical. By leaving the GitHub repository clean while poisoning only the PyPI distribution, the attackers bypassed standard code reviews and focused on the final distribution point.
    • Massive scale = massive impact. With 95 million monthly downloads, the reach of this backdoor is staggering, affecting everything from individual developers to enterprise AI gateways.
    • Defense must include runtime monitoring. Detecting compromised packages requires not only static analysis but also behavioral monitoring in CI/CD and production environments.

    Prediction:

    This attack foreshadows a new wave of AI‑targeted supply chain compromises. As organizations increasingly rely on unified LLM gateways, threat actors will continue to poison these proxies to harvest credentials, training data, and intellectual property. We can expect more attacks that combine CI/CD pipeline breaches with trusted tool subversion, making traditional “shift‑left” security insufficient. Future defenses will need to incorporate runtime verification of security tools, ephemeral build environments, and cryptographic provenance for every artifact—from the scanner to the final package. The era of assuming that PyPI and GitHub repositories are safe has ended.

    ▶️ Related Video (76% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Cybersecuritynews Share – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky