CI/CD Poisoning Spreads: Deep Dive into the LiteLLM Backdoor (v1.82.7/1.82.8)
TeamPCP is really exploiting the supply chain angle hard. After hitting Trivy and KICS, they've managed to backdoor the litellm package by compromising the Trivy CI/CD pipeline itself. If you are using LiteLLM for LLM orchestration, you need to check your versions immediately.
According to reports from Endor Labs and JFrog, the malicious versions 1.82.7 and 1.82.8 were pushed in March. The payload is aggressive, including a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.
Since this targets a popular Python library, the impact on dev environments could be massive. If you are currently running these versions, assume your environment is compromised.
To check your installed versions across your environment, you can run this quick audit:
pip list | grep litellm
If you are using `poetry` or `pipenv`, make sure to check your lock files against the official hashes. The immediate remediation is to downgrade to `1.82.6` or upgrade to a patched version (likely `1.82.9+` or the latest), and rotate any credentials stored in the environment where the package ran.
What's terrifying is that they used a security tool's (Trivy) pipeline to distribute this. How are you guys verifying the integrity of your third-party dependencies? Are we finally at the point where pip install without hash verification is considered negligence?
We saw this hit one of our staging environments yesterday. Our SCA tool (Snyk) flagged the hash mismatch almost immediately after the updated index synced. It's a good reminder that automated dependency scanning isn't just nice-to-have anymore; it's survival. We've locked our requirements.txt to specific hashes now.
pip install litellm==1.82.6 --require-hashes -r requirements.txt
Does anyone know if the credential harvester targets generic .env files or specifically cloud provider creds?
The K8s lateral movement toolkit is the part that worries me most. If you're running this inside a cluster with overly permissive RBAC (which is unfortunately common), this backdoor owns the cluster. We're enforcing strict network policies now, but you can't rely on that if the malware is already inside the pod. Always check your service account permissions!
This reinforces why we need to move to reproducible builds and signing. It's 2026 and we're still downloading unverified blobs from PyPI during CI/CD runs. We started using sigstore verification for our critical internal packages, but it's hard to enforce on every public library. Has anyone successfully blocked PyPI access in their CI runners and forced everything through a private proxy with strict allow-listing?
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access