Top LLM PyPl package compromised to steal user details - here's what we know

News
By published

Aqua Security’s Trivy vulnerability scanner compromise is trickling down

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • Popular Python package LiteLLM compromised in supply chain attack
  • Malicious updates (v1.82.7, v1.82.8) deployed TeamPCP Cloud Stealer infostealer
  • Attack harvested cloud credentials, Kubernetes secrets, wallets; users urged to rotate tokens and revert to safe versions

A hugely popular Python package called LiteLLM was compromised and used to deploy an infostealer malware to hundreds of thousands of devices.

LiteLLM is a lightweight API layer that lets users call multiple AI models (like OpenAI, Anthropic, etc.) through one unified interface. It has more than 40,000 stars, and more than 30,000 commits.

According to multiple security researchers, as well as the project’s maintainers, threat actors calling themselves TeamPCP managed to break into the LiteLLM account and push two malicious updates: LiteLLM 1.82.7, and 1.82.8.

Article continues below

Stealing secrets

The exact number of people who downloaded this update is not known (and will probably never be), but some sources claim it could be as many as 500,000.

BleepingComputer reports the breach is a direct result of a previous compromise at Aqua Security’s Trivy vulnerability scanner, following similar attacks on Aqua Security Docker images, and the Checkmarx KICS project.

Through the supply chain attack, TeamPCP distributed a custom-built infostealer called “TeamPCP Cloud Stealer”, as well as a persistence script. Security researchers at Endor Labs said the attack is split into three steps:

"Once triggered, the payload runs a three-stage attack: it harvests credentials (SSH keys, cloud tokens, Kubernetes secrets, crypto wallets, and .env files), attempts lateral movement across Kubernetes clusters by deploying privileged pods to every node, and installs a persistent systemd backdoor that polls for additional binaries," explains Endor Labs.

"Exfiltrated data is encrypted and sent to an attacker-controlled domain."

The infostealer also runs a system check, grabs cloud credentials for Amazon, Google, and Microsoft, and pulls TLS private keys and CI/CD secrets.

If you’ve installed any of the poisoned versions, make sure to rotate all secrets, tokens, and credentials, as soon as possible, and monitor outbound traffic to known attacker domains. Also, make sure to revert either to versions 1.82.3, or 1.82.6.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.