On March 24, 2026, the LiteLLM package was targeted in a supply chain attack by TeamPCP. The threat actor published two malicious LiteLLM versions on PyPi (1.82.7 and 1.82.8), which automatically executed a credential-stealing payload and enabled the exfiltration of sensitive data, such as API tokens, cloud data, and SSH keys.
The Lightweight Large Language Model Library (“LiteLLM”) is an open-source Python library which, through a single API, provides a unified interface for large language models (LLMs). With around 97 million monthly downloads on PyPi, it’s hugely popular among AI developers across the globe.
At present, it’s believed that around 500,000 credentials have already been stolen. But with experts warning that this is the start of a much larger attack, these figures likely scratch the surface.
For starters, many traditional security tools failed to detect the exploit (due to their reliance on known vulnerabilities). Furthermore, because LiteLLM is used as a dependency by various other tools, such as Cursor IDE, LangChain, and Crew AI, many developers might be unaware the package is included within their project.
As the industry scrambles to mitigate the fallout from the attack, Point Wild has developed a new AI-powered scanner, who-touched-my-packages, which works to scan third-party packages for malicious behavior, including credential harvesting, data exfiltration, obfuscated code, and CI/CD tampering.
Who is TeamPCP?
TeamPCP has carried a number of high-profile attacks in the last week alone. Several days ago, it compromised Aqua Security’s Trivy vulnerability scanner to distribute credential-stealing malware via Github and official releases. Current estimates suggest around 10,000 CI/CD workflows were impacted.
The threat actor is also responsible for ‘CanisterWorm,’ which is an NPM-based campaign that started on March 20 and another campaign targeting Kubernetes clusters. In the latter, the focus wasn’t just on stealing credentials and installing backdoors, but on wiping entire Kubernetes clusters.
Software supply chain attacks
From attacks targeting open-source packages to zero-day vulnerabilities exploited by ransomware gangs, software supply chain attacks are a key focus for hackers due to the widespread and far-reaching consequences they can have. Instead of targeting one organization at once, hackers are focusing on these attacks in a bid to gain access to thousands of entities through one source.
For example, Clop’s recent exploit of the Oracle zero-day vulnerability has already led to the breach of nearly 3.8 million records with health insurance giant Humana being one of the latest to issue breach notifications.
