What We Learned from Proactively Stopping the LiteLLM Attack
On March 24, 2026, a threat group known as TeamPCP executed one of the most targeted supply chain attacks ever aimed directly at the AI developer community. The victim: LiteLLM, an open-source Python library with over 3 million daily downloads used to connect developers to large language models. The result: an estimated 500,000 credentials stolen in under six hours.
This wasn't a smash-and-grab. It was a calculated, multi-hop operation that exploited trust at every level of the software supply chain. And it succeeded -- in large part -- because most organizations were relying on tools that can only tell you what happened after the fact.
What's at Stake
LiteLLM records approximately 3.4 million downloads daily. If your team builds on AI infrastructure -- LLM proxies, agent frameworks, MCP servers -- your developers almost certainly have it installed. The blast radius of this attack was enormous, and it is almost certainly not the last of its kind.
The Kill Chain
Understanding how this attack unfolded is essential to understanding why traditional defenses missed it -- and what would have stopped it.
01 -- Initial Compromise: Trivy CI/CD Attack
TeamPCP first compromised Trivy, an open-source vulnerability scanner embedded in LiteLLM's CI/CD pipeline. This gave them the maintainer's PyPI credentials without ever touching LiteLLM's codebase directly.
02 -- Malicious Package Published to PyPI
Using the stolen credentials, attackers pushed LiteLLM v1.82.8 directly to PyPI -- bypassing GitHub entirely. The package contained a hidden .pth file that auto-executes on every Python process startup, no import required.
03 -- Credential Harvesting
On execution, the malware swept the machine for SSH keys, AWS/GCP/Azure credentials, Kubernetes service account tokens, .env files, and database passwords -- everything that makes a developer's machine the most valuable target in an organization.
04 -- Encrypted Exfiltration to Rogue Domain
Harvested credentials were encrypted with a 4096-bit RSA public key, bundled into a tar archive, and silently POSTed to models.litellm.cloud -- a convincingly named rogue domain with no legitimate affiliation.
05 -- Kubernetes Lateral Movement and Persistence
If a Kubernetes token was present, the malware swept all cluster secrets, spun up privileged alpine:latest pods across every node in kube-system, mounted the host filesystem, and installed a systemd backdoor -- ensuring persistence long after cleanup.
Why Traditional Tools Failed
The security community's post-mortem is damning. Existing signature-based checks and dependency scanning in public registries are no longer sufficient -- the malicious code was injected directly into trusted, signed packages and evaded detection until behavioral monitoring was applied.
This attack wasn't a known CVE. It didn't match a signature. It came from a package your team had been using and trusting for months. SCA scanners, SAST tools, and compliance certifications -- LiteLLM had them all -- couldn't stop it. SOC 2 and ISO 27001 badges don't mean your dependencies are clean.
Key Insight: The attack succeeded at the behavioral layer: a trusted package doing something no legitimate package should ever do -- silently sweeping credentials and POSTing encrypted data to an unknown external domain at process startup. That behavior is detectable. Most organizations just are not watching for it.
What Salience Cyber Would Have Done
Salience Cyber's Autonomous Network Defense Platform is built specifically for this threat landscape -- AI-era attacks that move laterally, exfiltrate data, and persist across environments before a single alert fires anywhere else.
| Attack Stage | Salience Cyber Response | Outcome |
|---|---|---|
Malicious .pth executing at Python startup |
AI-Generated Malware Detection + behavioral anomaly monitoring | DETECTED & BLOCKED |
| Credential sweep (SSH, cloud tokens, env vars) | Data Exfiltration prevention + Insider Threat monitoring | DETECTED & BLOCKED |
Encrypted POST to models.litellm.cloud |
Real-Time Policy Enforcement blocks unauthorized outbound connections | DETECTED & BLOCKED |
| Kubernetes secret sweep + privileged pod creation | Automated AI-Driven Reconnaissance & Lateral Movement detection | DETECTED & BLOCKED |
| systemd backdoor installation | Persistence behavior monitoring + system-level AI observability | DETECTED & BLOCKED |
The platform's AI Observability and Threat Prevention layer provides system-level visibility into AI interactions in real time -- making it uniquely suited to this attack, given that LiteLLM is itself AI infrastructure. When a trusted AI tool starts behaving like a credential harvester, Salience's Cognition AI Engine catches it at machine speed, not analyst speed.
Even if the malicious package landed on a developer's machine, every subsequent destructive action would have been intercepted. The credentials would not have left. The Kubernetes cluster would not have been touched. The backdoor would not have been planted.
The Bigger Picture
TeamPCP didn't stop at LiteLLM. The same campaign compromised Trivy and Checkmarx's security scanning tools in the same window. This is a new playbook: attack the security tools first, then use them as stepping stones into everything downstream.
AI developers are a high-value, high-trust, and historically under-defended target. They hold cloud credentials, LLM API keys, production secrets, and access to organizational infrastructure -- all on a single developer laptop. Supply chain attackers know this, and they are coming for that surface specifically.
The New Reality
The CI/CD pipeline is the new perimeter. Your developers' machines are some of the most sensitive endpoints in your organization. Behavioral, real-time, AI-native defense is not optional anymore -- it is the only thing that moves fast enough to matter.
Don't Wait for the Next Attack
Shift Left. Prevent, Don't React.
Salience Cyber's Autonomous Network Defense Platform stops AI-era threats before they breach -- at machine speed, with zero alert fatigue.