GoKawiilThe TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular "LiteLLM" Python package on PyPI and claiming to have stolen data from hundreds of thousands of devices during the attack.
LiteLLM is an open-source Python library that serves as a gateway to multiple large language model (LLM) providers via a single API. The package is very popular, with over 3.4 million downloads a day and over 95 million in the past month.
According to research by Endor Labs, threat actors compromised the project and published malicious versions of LiteLLM 1.82.7 and 1.82.8 to PyPI today that deploy an infostealer that harvests a wide range of sensitive data.
The attack has been claimed by TeamPCP, a hacking group that was behind the recent high-profile breach of Aqua Security's Trivy vulnerability scanner. That breach is believed to have led to cascading compromises that impacted Aqua Security Docker images, Checkmarx KICS project, and now LiteLLM.
The group has also been found targeting Kubernetes clusters with a malicious script that wipes all machines when it detects systems configured for Iran. Otherwise, it installs a new CanisterWorm backdoor on devices in other regions.
Sources have told BleepingComputer the number of data exfils is approximately 500,000, with many being duplicates. VX-Underground reports a similar number of 'infected devices."
However, BleepingComputer has not been able to confirm those numbers independently.
LiteLLM supply chain attack
Endor Labs reports that threat actors pushed out two malicious versions of LiteLLM today, each containing a hidden payload that executes when the package is imported.
The malicious code was injected into 'litellm/proxy/proxy_server.py' [VirusTotal] as a base64 encoded payload, which is decoded and executed whenever the module is imported.
... continue reading