A supply chain attack has targeted LiteLLM, an open-source Python library commonly integrated into AI systems. According to researchers, the compromise poses a significant risk, with tens of thousands of enterprise environments potentially exposed. 

According to researchers, malicious versions 1.82.7 and 1.82.8 were published on the Python Package Index on Tuesday, leading to unintentional downloads across development systems and cloud-based environments. 

According to Sonatype experts, the malicious packages were accessible for a minimum of two hours on March 24. With the package seeing around three million downloads per day, researchers believe the attack may have impacted a substantial number of victims. 

This event highlights the growing risks within the open-source supply chain, as popular tools managed by relatively small teams can, if breached, open the door to large-scale access across thousands of organizations. 

An urgent alert was released last year by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Red Hat following the discovery of a backdoor hidden within the XZ Utils utility. 

Attacks like the Shai Hulud worm highlight a growing trend where threat actors exploit developer-trusted dependencies to scale intrusions across multiple organizations, inserting malicious code deep into enterprise environments. 

Hackers behind the LiteLLM breach managed to inject malicious code into the official package. Although the precise attack vector is still unclear, researchers suggest that a maintainer’s account was likely compromised, given that the malicious releases were uploaded with legitimate publishing permissions. 

Malicious versions of the package were designed to exfiltrate critical information, including cloud credentials, API keys, and crypto wallets. In addition, they deployed a persistent downloader to retain access and facilitate more extensive follow-on attacks within affected systems. 

According to Adam Reynolds, a senior security researcher at Sonatype, the team detected atypical activity in the malware, particularly its infrequent communication with its command endpoint, occurring roughly every 50 minutes. 

Such a prolonged interval could allow the malware to bypass sandbox detection, as these environments often execute samples for limited timeframes. Alternatively, it may act as a heartbeat signal, helping operators identify real victims versus security researchers probing the system. 

While the full scale of the impact is still unclear, Wiz Research suggests the package existed in approximately 36% of cloud environments. As a precaution, users are being urged to treat any exposed credentials as compromised. 

According to Wiz researchers, the attack appears to be part of a broader campaign by a group calling itself TeamPCP, which leverages a public Telegram channel to promote its activities and recruit other cybercriminal actors. 

The group TeamPCP has earlier claimed involvement in an attack on Aqua Security’s Trivy vulnerability scanner, which the company has confirmed. It has also stated that it is working alongside several other cybercriminal groups, although this has yet to be independently verified. 

According to the group, it plans to persist in attacking popular open-source projects; however, these assertions have not been independently confirmed, and similar groups frequently overstate their success. 

On Wednesday, a Telegram account purporting to be the group’s new leader said it was “actively sorting through the credential sets,” describing the scale as “astronomical” despite the teams’ resources, and noted that the effort would pay off. 

No large-scale exploitation tied to the LiteLLM incident has been publicly confirmed so far, but experts warn that the risks remain significant, particularly if stolen credentials are leveraged in follow-on attacks.