TeamPCP, the threat actor responsible for recent compromises of security tools Trivy and KICS, has successfully backdoored the popular Python package litellm. The malicious versions 1.82.7 and 1.82.8 contain multiple attack components including a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor mechanism.
Multiple security vendors including Endor Labs and JFrog have confirmed the compromise and identified the malicious package versions. The attack represents a significant supply chain security threat given litellm's popularity within the Python ecosystem and its potential for widespread deployment in enterprise environments.