TeamPCP's LiteLLM Takeover: A Cascading Supply Chain Attack Across Five Ecosystems

In 2026, a major multi-ecosystem supply chain attack was orchestrated by TeamPCP, targeting platforms such as GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI. This campaign began with the compromise of a single CI/CD token, which led to a cascade of breaches across various ecosystems within a week. One significant target was LiteLLM, a widely used AI/ML package, which had malicious versions published that enabled extensive credential theft and system backdoors. The attack exploited vulnerabilities in build pipelines, particularly the unpinned installation of dependencies like Trivy, allowing the attackers to harvest credentials and maintain persistent access across cloud environments. Detection strategies involve monitoring for runtime anomalies, and compromised versions were found to execute malicious payloads on any Python process invocation, posing severe risks. The campaign highlights the critical need for robust anomaly detection in security postures to preemptively identify threats before traditional indicators of compromise (IOCs) are published.