How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM

On March 24, 2026, two versions of the litellm Python package published on PyPI were discovered to contain malicious code, attributed to the threat actor TeamPCP. These versions, 1.82.7 and 1.82.8, were uploaded after the attackers obtained the package maintainer's credentials through a previous compromise involving Trivy, a security scanner in LiteLLM's CI/CD pipeline. The packages included a three-stage payload designed for credential harvesting, encrypted exfiltration, and persistent backdoor installation, with the capability to spread through Kubernetes environments. The attack was quickly detected when a developer noticed system unresponsiveness due to a fork bomb caused by the malicious code. The compromised packages, which were available for about three hours before removal, prompted widespread community alerts and discussions, with affected projects taking immediate security measures. Snyk, a security management company, has been tracking the incident and providing updates, highlighting the broader pattern of targeting tools with elevated access in automated pipelines.