The TeamPCP hacking group compromised the popular LiteLLM Python package on PyPI in a supply-chain attack. This incident resulted in malicious versions of LiteLLM (1.82.7 and 1.82.8) being published, containing an infostealer that harvests sensitive data such as SSH keys, cloud tokens, Kubernetes secrets, and cryptocurrency wallet information. The compromised package was injected with a base64 encoded payload that executes upon import, leading to the deployment of a new CanisterWorm backdoor on devices in regions outside Iran. This attack follows similar breaches by TeamPCP targeting Aqua Security's Trivy vulnerability scanner and Checkmarx KICS project. Sources claim nearly 500,000 data exfiltrations occurred during this attack, although exact numbers are unconfirmed.
This supply-chain attack on LiteLLM has significant implications for system administrators running Python-based services, especially those utilizing cloud infrastructure (AWS, GCP, Azure) and Kubernetes clusters. The exfiltration of SSH keys, cloud tokens, and Kubernetes secrets could lead to unauthorized access and potential lateral movement within networks. For example, a sysadmin managing a Proxmox 7.2-9 cluster with Docker containers running Python applications must immediately rotate credentials and monitor for suspicious activity in the 'kube-system' namespace.
- The compromised LiteLLM versions (1.82.7 and 1.82.8) contain a base64 encoded payload that is executed upon import of the 'proxy_server.py' module, leading to the deployment of a CanisterWorm backdoor on devices outside Iran.
- The malicious code was injected into 'litellm/proxy/proxy_server.py', which decodes and executes the payload. Version 1.82.8 further installs a '.pth' file named 'litellm_init.pth' to ensure persistence, as Python automatically processes all '.pth' files at interpreter startup.
- The infostealer harvests a wide range of sensitive data including SSH keys, cloud tokens (AWS, GCP, Azure), Kubernetes secrets, and cryptocurrency wallet information. The exfiltrated data is encrypted and sent to attacker-controlled domains like models.litellm[.]cloud.
- Organizations are advised to immediately rotate all credentials used in environments where compromised LiteLLM versions were installed. This includes SSH keys, cloud tokens, Kubernetes secrets, and environment files such as `.env` variants.
- Sysadmins should search for persistence artifacts like '~/.config/sysmon/sysmon.py' and related systemd services. Monitor systems for suspicious files such as '/tmp/pglog' and '/tmp/.pg_state', and review Kubernetes clusters for unauthorized pods in the 'kube-system' namespace.
This attack impacts homelab stacks running Python applications, particularly those using LiteLLM versions 1.82.7 or 1.82.8. Sysadmins should verify their Python environment to ensure these malicious versions are not installed and check for persistence mechanisms such as '.pth' files and systemd services.
- Check if the LiteLLM versions 1.82.7 or 1.82.8 are installed using `pip list | grep litellm`. If found, immediately upgrade to version 1.82.6 with `pip install --upgrade liteLLM==1.82.6`.
- Rotate all exposed credentials including SSH keys, cloud tokens (AWS, GCP, Azure), Kubernetes secrets, and environment files such as `.env`. Use tools like `ssh-keygen -t rsa -b 4096` to generate new SSH keys.
- Search for persistence artifacts using commands like `find ~/.config/sysmon/ -name 'sysmon.py'`, `systemctl --user list-unit-files | grep sysmon`, and inspect the `/tmp/pglog` and `/tmp/.pg_state` directories.