10 Critical Facts About the TeamPCP Supply Chain Attack That Weaponized LiteLLM

In a recent disclosure, Forcepoint X-Labs revealed a sophisticated supply chain attack orchestrated by the threat group known as TeamPCP. The attack targeted LiteLLM, a popular open-source Python library that acts as a unified gateway to over 100 large language model (LLM) providers. By injecting malicious code into two releases of the package, the attackers turned a trusted tool into a credential stealer, specifically aimed at cloud and AI environments. This article breaks down the 10 most important things you need to know about this incident, from the attack methodology to mitigation strategies.

1. What is LiteLLM and Why It Was Targeted

LiteLLM is a lightweight Python library designed to simplify interactions with multiple LLM providers, including OpenAI, Anthropic, Google, and others. It provides a unified API wrapper, making it a critical component for developers building AI applications. However, its widespread adoption also made it an attractive target for supply chain attacks. By compromising LiteLLM, attackers could gain access to API keys and credentials used by thousands of organizations, which could then be exploited to steal sensitive data or launch further attacks against cloud infrastructures.

2. The Attackers: TeamPCP

TeamPCP is a relatively unknown but technically adept threat group that specializes in supply chain compromises. They often focus on open-source packages with a large user base, leveraging code injection techniques to distribute malware. In this case, they managed to infiltrate the LiteLLM development workflow and publish two malicious versions (v2.2.0 and v2.3.0) to the official PyPI repository. Their modus operandi includes credential harvesting and lateral movement within cloud environments, making them a significant threat to AI pipelines.

3. How the Supply Chain Attack Worked

The attack followed a classic supply chain compromise pattern: the attackers gained unauthorized access to the LiteLLM GitHub repository or maintainer credentials, then pushed malicious commits. They introduced code that, during package installation, would exfiltrate environment variables, API keys, and other sensitive data to an external command-and-control server. The malicious code was obfuscated to evade detection by static analysis tools. This method allowed TeamPCP to compromise every system where the tainted libraries were installed.

4. Timeline of the Incident

Forcepoint’s investigation pinpoints the initial compromise to late September 2023. The two malicious releases were published on PyPI shortly after, remaining available for several days before being removed. The attack was discovered when users reported unusual network traffic and failed authentication attempts. Forcepoint X-Labs analyzed the malicious packages and confirmed the credential theft functionality. The incident was disclosed in early October, emphasizing the need for timely patch management and repository monitoring.

5. Credential Theft Mechanism

The injected code in LiteLLM primarily targeted cloud provider credentials stored in environment variables (e.g., AWS_ACCESS_KEY_ID, AZURE_CLIENT_SECRET) and LLM API keys. It also scanned for common configuration files and databases. The stolen data was encrypted and transmitted via HTTPS to a remote server controlled by TeamPCP. Due to the library's integration with AI workflows, attackers could harvest credentials not just for LiteLLM but also for downstream cloud services, thereby expanding the attack surface.

6. Impact on Cloud and AI Environments

Because LiteLLM is used as a gateway to LLMs, any organization that deployed the compromised versions risked exposing their entire AI infrastructure. Stolen credentials could allow TeamPCP to access cloud storage, computational resources, and training data. Additionally, the attackers could perform supply chain propagation—using compromised cloud accounts to distribute malware further. The incident highlights the systemic risk of relying on third-party open-source components in AI pipelines.

7. Detection and Response Recommendations

Forcepoint advises organizations to immediately check their usage of LiteLLM versions 2.2.0 and 2.3.0. They should rotate all API keys and cloud credentials that might have been exposed. Network monitoring should focus on anomalous outbound connections to unknown IPs. Tools like dependency scanners and runtime integrity checks can help detect similar tampering. For more details, see Forcepoint's full report on the attack. Implementing package signing and verifying checksums from trusted sources is also critical.

8. Broader Implications for Open-Source Security

This incident underscores the growing risk of supply chain attacks in the open-source ecosystem. As AI adoption accelerates, attackers are increasingly targeting infrastructure components like LiteLLM. The lack of mandatory code review and the speed of automated package publication create vulnerabilities. Organizations must adopt a “zero trust” approach to dependencies, validate provenance, and maintain an inventory of all open-source tools. Community efforts like PyPI’s two-factor authentication and security audits are steps in the right direction.

9. Lessons Learned for AI Developers

AI developers should treat any package that handles credentials with extra scrutiny. Best practices include: using environment variables securely with vault services, limiting API key scopes, and implementing least-privilege principles. Regularly updating dependencies and monitoring for advisories is essential. For LiteLLM specifically, the library’s maintainers have since released a fixed version (2.3.1) and improved their security posture. Developers should upgrade immediately and verify package integrity via cryptographic hashes.

10. Future Outlook: Securing the AI Supply Chain

The TeamPCP attack on LiteLLM is a wake-up call for the entire AI industry. It demonstrates that even well-maintained open-source projects are not immune to compromise. Going forward, we can expect increased investment in automated vulnerability scanning, reproducible builds, and collaborative threat intelligence sharing. Organizations that rely on AI tooling must incorporate supply chain security into their risk management framework. The lessons from this attack will shape better defenses against future incidents.

In conclusion, the Forcepoint report on the TeamPCP supply chain attack against LiteLLM reveals a sophisticated operation that turned a trusted library into a credential stealer. By understanding the attack vector, impact, and mitigation steps, organizations can better protect their AI and cloud assets. This incident reinforces the critical need for vigilance in the open-source ecosystem—especially as AI continues to integrate into core business processes.