TeamPCP Publishes Two Malicious LiteLLM Versions That Harvest Developer Credentials, PyPI Warns

The defining new development is PyPI's warning that credentials in LiteLLM environments may have been exposed after two malicious LiteLLM versions were briefly published on PyPI.

“Decrypting the LiteLLM hack: a sophisticated supply-chain attack via Trivy, bots on GitHub, and the Delve AI certification scandal”

France-Jeunes

The advisories connect the incident to the ongoing TeamPCP supply-chain operation that targeted Trivy, a widely used open-source vulnerability scanner.

France-Jeunes

Tech outlets highlighted the scale of LiteLLM’s distribution, noting it was downloaded millions of times daily, which amplifies the potential impact of credential leakage.

Non-Western coverage stresses that the combination of a popular dependency and a credential-stealing payload reveals a broader vulnerability in software supply chains.

Two malicious LiteLLM versions carried a multi-stage payload designed to harvest credentials from developer environments, CI/CD pipelines, and cloud configurations.

The payload relied on base64-encoded Python code to conceal its activity and exfiltrate environment variables, API keys, SSH keys, and cloud credentials.

InfoWorld

The attack chain exploits a dependency compromise, meaning the malware piggybacked on an upstream package LiteLLM relied upon.

The window on PyPI was short, but the broad reach of LiteLLM meant the exposure could be widespread across many affected organizations.

Wiz researchers emphasized LiteLLM’s footprint in cloud environments, highlighting the potential scale of impact.

LiteLLM’s public statements claim SOC 2 and ISO 27001 certifications credited to Delve, a startup accused of questionable auditing practices.

“A security researcher discovered a malicious dependency that crashed his machine and exposed credentials”

mezha.net

Delve denies the allegations of fake data and rubber-stamped reports, complicating how readers should interpret compliance badges.

Commentary from multiple outlets suggests certifications are policy signals rather than guarantees against supply-chain breaches.

This framing illuminates how third-party validators can become part of the risk landscape when the underlying software supply chain is compromised.

LiteLLM said the priority now is an active investigation in collaboration with Mandiant; after the forensic review is complete, LiteLLM plans to share technical findings with the developer community.

Tech and regional outlets emphasize ongoing investigations and the lack of public comment from LiteLLM’s leadership on Delve’s involvement.

TechCrunch

Officials in the reporting include notices referenced as relevant to criminal offenses, with authorities being involved in the response process.

The overall posture combines incident response, forensics, and regulatory scrutiny, illustrating how supply-chain breaches trigger cross-cutting investigations.

The LiteLLM incident is described as part of a broader TeamPCP supply-chain campaign tied to the Trivy ecosystem and other CI/CD tools.

“Decrypting the LiteLLM hack: a sophisticated supply-chain attack via Trivy, bots on GitHub, and the Delve AI certification scandal”

France-Jeunes

Coverage from multiple jurisdictions stresses the scale of exposure and the risk of widespread credential theft from popular dependencies.

France-Jeunes

Analysts point to the enormous distribution footprint—millions of downloads—and the resulting exposure surface as a primary driver of risk.