A widely-used AI proxy service that millions of developers rely on daily was silently harvesting their cloud credentials, SSH keys, and Kubernetes secrets. On March 24, 2026, production systems running LiteLLM started crashing with runaway processes and out-of-memory errors. What engineers discovered was far worse than a bug: versions 1.82.7 and 1.82.8 of the popular Python package contained malicious code deployed by a sophisticated threat group called TeamPCP .

LiteLLM is a unified gateway that sits between application code and AI model providers like OpenAI, Anthropic, and Azure AI, routing and load-balancing requests across dozens of services. With 3.4 million daily downloads, it has become foundational infrastructure for AI development. The compromise exposed a critical vulnerability in how modern AI systems concentrate sensitive data into single points of failure .

How Did a Security Tool Become the Attack Vector?

The breach didn't start with LiteLLM. It started weeks earlier with Trivy, an open-source vulnerability scanner developed by Aqua Security that thousands of software projects integrate into their continuous integration and continuous deployment (CI/CD) pipelines. In late February 2026, an attacker exploited a misconfigured workflow in Trivy's GitHub repository to steal a personal access token, giving them the ability to publish code to the project .

Security scanners are uniquely dangerous targets because they require broad read access to the environments they monitor, including environment variables, configuration files, and system memory. When compromised, they become credential harvesting platforms with legitimate access to secrets. Aqua Security rotated credentials after discovering the breach on March 1, but according to their own analysis, the rotation "wasn't atomic and attackers may have been privy to refreshed tokens" .

That gap proved decisive. On March 19, TeamPCP used still-valid credentials to force-push malicious code to 76 of 77 release tags in the trivy-action repository. The malicious code scraped process memory for secrets, harvested cloud credentials and SSH keys from the filesystem, encrypted the bundle using AES-256-CBC encryption with RSA-4096 keys, and exfiltrated everything to a typosquatted domain .

What Made the LiteLLM Payload So Dangerous?

Once TeamPCP had control of Trivy's release pipeline, they could publish arbitrary versions of downstream packages. LiteLLM became collateral damage in a broader supply chain campaign. The malicious versions deployed a three-stage payload designed to maximize damage across AI infrastructure .

• Credential Harvesting: The payload targeted over 50 categories of secrets, including cloud platform credentials, SSH keys, and Kubernetes cluster access tokens, encrypting and exfiltrating them to attacker-controlled servers.
• Kubernetes Lateral Movement: The malicious code included a toolkit capable of compromising entire Kubernetes clusters, allowing attackers to move laterally through containerized infrastructure and maintain persistence.
• Persistent Backdoor: A 34,628-byte file called LiteLLM_init.pth provided ongoing remote code execution, executing at Python interpreter startup regardless of whether LiteLLM was actually imported into a project.

The sophistication of the attack is evident in how quickly the attacker adapted. Version 1.82.7, released at 10:39 UTC, injected the payload directly into the proxy_server.py file. Within 13 minutes, version 1.82.8 switched to the .pth file mechanism, which is far stealthier because it executes automatically when Python starts, not just when LiteLLM is used. This rapid iteration from function-level injection to interpreter-level persistence demonstrates deep understanding of Python's execution model .

Why Does This Matter for AI Development?

LiteLLM's role as a unified gateway to multiple AI model providers makes it a particularly valuable target. Developers use it to manage API keys and credentials for OpenAI, Anthropic, Azure AI, and dozens of other services. When compromised, it doesn't just expose one service's credentials; it exposes access to an organization's entire AI infrastructure stack .

The incident reveals a structural problem in how AI infrastructure is built. AI proxy services concentrate API keys and cloud credentials into single packages that are downloaded millions of times daily. When supply chain attacks compromise upstream dependencies like security scanners, the blast radius extends far beyond the original target. TeamPCP's campaign spanned PyPI (Python's package repository), npm (JavaScript's package repository), Docker Hub, GitHub Actions, and OpenVSX in a single coordinated operation .

"Your CI/CD security tooling has the same access as your deployment tooling. If it's compromised, everything downstream is exposed," noted security researchers analyzing the incident.

TrendMicro Research Team, analyzing the LiteLLM compromise

The uncomfortable lesson is that security tools themselves have become attack vectors. Defenders rely on vulnerability scanners to catch supply chain compromises, but when those scanners are compromised, they become the entry point for the very attacks they're designed to prevent. The Trivy compromise gave attackers the keys to publish arbitrary versions of LiteLLM to PyPI, and everything that followed was exploitation of that initial foothold .

What Should AI Teams Do Now?

Organizations using LiteLLM should immediately audit their deployments and rotate any credentials that may have been exposed. However, the broader lesson extends beyond this single incident. AI infrastructure requires the same supply chain security rigor that traditional software development has learned over decades, but adapted for the unique risks of AI systems that concentrate sensitive data and API access .

This incident is part of a pattern. TeamPCP previously compromised other security tools including Checkmarx KICS, a popular infrastructure-as-code scanner, demonstrating that this is not a one-time attack but a deliberate strategy targeting the tools that developers trust most. The sophistication and coordination across multiple ecosystems suggests a well-resourced threat actor with deep understanding of how modern software development works .