Three’s a Crowd: TeamPCP trojanizes LiteLLM in Continuation of Campaign

LiteLLM is the latest victim in TeamPCP’s spree of attacks targeting the open source ecosystem. Previously, Wiz has covered the compromises of Aqua Security’s Trivy and a set of Checkmarx GitHub Actions and OpenVSX extensions. LiteLLM is an open-source Python library and proxy server that acts as a universal translator, converting API requests for over 100 different Large Language Models into the standard OpenAI format. Our data shows that LiteLLM is present in 36% of cloud environments, signifying the potential for widespread impact.

Update 03/25: LiteLLM has published an official and actively maintained Security Update.

Malicious versions of the LiteLLM python package (1.82.7 and 1.82.8) were published on the morning of 24 March 2026. The compromised packages employed two different methods to deliver their payload. The packages were published at approximately 8:30 UTC and quarantined by PyPI at 11:25 UTC. An PyPI advisory has been posted here, identifying an API token exposed via the prior Trivy incident as the root cause. Wiz customers can check their environment via the Wiz Threat Center.

• 1.82.7 drops the double base64 encoded payload to disk and then runs it as p.py and executes whenever litellm –proxy is run or when litellm.proxy.proxy_server is imported. 

• 1.82.8 includes the version used in 1.82.7 and also adds a more complex mechanism that causes the malicious code to be run whenever python is invoked. 

  • The malicious package abuses python’s .pth file mechanism, which allows arbitrary code execution during interpreter initialization. The package includes a malicious file (litellm_init.pth) that is triggered whenever python is invoked on the system, whether or not there is an explicit import of LiteLLM.

  • The file executes a double base64-encoded payload via subprocess, effectively bypassing simple inspection techniques. This provides stealthy and persistent execution across any Python process in the environment.

Once executed, the payload performs the same extensive data collection across the host seen in the KICS operation. It targets environment variables (including API keys and tokens), SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configs, CI/CD secrets, Docker configs, database credentials, and even cryptocurrency wallets. The collected data is encrypted using AES-256, with the key further encrypted using an embedded RSA public key, and exfiltrated to an attacker-controlled domain (checkmarx[.]zone in 1.82.7, models[.]litellm[.]cloud in 1.82.8).

The LiteLLM script utilizes the same basic and Kubernetes based persistence mechanisms seen in the KICS operation. They continue to use checkmarx.zone/raw as the callout for their persistent python script.

How Wiz can help?

Wiz customers should continue to monitor the advisory in the Wiz Threat Center for ongoing guidance, pre-built queries, and references to relevant detections they can use to assess the risk  in their environment.