TeamPCP compromised the LiteLLM Python package, pushing malicious versions 1.82.7 and 1.82.8. These versions contained a credential harvester for SSH keys, cloud credentials, Kubernetes secrets, and crypto wallets, a Kubernetes lateral movement toolkit, and a persistent systemd backdoor. The attack likely stemmed from a compromise of LiteLLM's CI/CD workflow via Trivy.
Initial Access
CI/CD Pipeline Breach
likely
TeamPCP likely compromised LiteLLM's CI/CD workflow, specifically leveraging its use of Trivy, to gain unauthorized access to the build environment.
Defender cut points
Implement strong access controls and phishing-resistant MFA for CI/CD systemsRegularly audit CI/CD pipeline configurations and dependencies for suspicious changes
