LiteLLM PyPI Trojan Exfiltrates All Host Credentials

◆ DEEP DIVES

1. 01

   LiteLLM Trojanized via Stolen PyPI Token: The .pth Injection Technique Your Scanners Won't Catch

   <h3>A Cascading Supply Chain Attack Hits the AI Ecosystem</h3><p>The TeamPCP campaign — previously reported for compromising Trivy — has now <strong>cascaded into the Python AI ecosystem</strong> via a novel attack chain. The group compromised Aqua Security's Trivy CI/CD pipeline, used that access to steal <strong>LiteLLM's PyPI publishing token</strong>, and pushed trojanized packages (versions 1.82.7 and 1.82.8) to PyPI. A separate vector also hit <strong>Checkmarx's KICS scanner</strong>, with malware injected into its GitHub Action and VS Code extensions.</p><p>LiteLLM is an LLM proxy/router library used by thousands of organizations to route requests across OpenAI, Anthropic, and Google. The blast radius extends beyond direct users — <strong>transitive dependencies in frameworks like DSPy</strong> mean any project in your AI/ML pipeline could be affected.</p><blockquote>The tools you adopted to accelerate AI development just became the tools that compromise you completely — and the technique used is invisible to every standard scanning tool in your pipeline.</blockquote><hr><h3>The .pth Injection: Why Your Scanners Miss It</h3><p>The attack's most significant innovation is the <strong>persistence mechanism</strong>. Rather than hiding malicious code in source files (which SAST and SCA tools inspect), the attacker planted a <code>litellm_init.pth</code> file in Python's <code>site-packages</code> directory. The <code>.pth</code> file format is a Python-specific feature that <strong>executes arbitrary code when the interpreter starts</strong> — no import required, no explicit invocation needed.</p><p>This means:</p><ul><li>Standard <strong>code review</strong> of LiteLLM's source won't find it</li><li><strong>SCA tools</strong> scanning dependency trees won't flag it</li><li><strong>Import-level monitoring</strong> never triggers because the payload fires before any import</li><li>The payload runs in <em>any</em> Python process on the affected system, not just LiteLLM-specific code</li></ul><p>The exfiltration scope is staggering: <strong>SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, git credentials, all environment variables, shell history, crypto wallets, CI/CD secrets, SSL private keys, and database passwords</strong>. A conditional <code>rm -rf /</code> wiper activates if the system timezone is <code>Asia/Tehran</code>, suggesting <strong>geopolitical motivation</strong> beyond simple cybercrime.</p><hr><h3>Cross-Source Analysis: The Full TeamPCP Kill Chain</h3><p>Six independent sources confirm the attack chain and provide complementary technical detail:</p><ol><li><strong>Initial access:</strong> TeamPCP modified existing GitHub Actions version tags on Trivy (not new releases — tag overwrites that bypass version pinning to major/minor tags)</li><li><strong>Lateral expansion:</strong> Compromised Aqua Security's entire GitHub organization including private repos and Docker images</li><li><strong>KICS compromise:</strong> Malware inserted into Checkmarx KICS GitHub Action and two VS Code extensions</li><li><strong>Credential theft:</strong> LiteLLM's PyPI publishing token intercepted from the compromised CI/CD pipeline</li><li><strong>Package poisoning:</strong> Two LiteLLM versions pushed with <code>.pth</code> credential stealer</li><li><strong>Counter-intelligence:</strong> AI-generated 'Thanks, that helped!' comments used to bury security warnings on LiteLLM's GitHub vulnerability reports</li></ol><p>The AI-generated comment spam is a novel defense evasion technique — <strong>MITRE T1562.001</strong> applied to open-source vulnerability disclosure. No automated filtering exists for this on GitHub.</p><hr><h3>Trivy Docker Hub Update</h3><p>New detail since yesterday: Trivy versions <strong>0.69.4, 0.69.5, 0.69.6, and the 'latest' tag</strong> on Docker Hub were malicious from March 19-23. Docker confirmed its own infrastructure and Hardened Images were not impacted, but any pipeline that pulled these versions should be treated as compromised.</p>

   Action items

   • Hunt for LiteLLM v1.82.7/v1.82.8 across all Python environments — production, staging, CI/CD, developer workstations, Jupyter notebooks, Docker images — using pip list, pip freeze, and container image scanning. Check transitive dependencies via pip show litellm on DSPy environments.
   • Scan all Python site-packages directories for rogue .pth files: find /usr/lib/python*/site-packages -name '*.pth'. Baseline legitimate .pth files from setuptools, pip, distutils. Any unrecognized .pth file is suspect.
   • If LiteLLM or compromised Trivy versions found: rotate ALL credentials accessible from affected systems — cloud IAM, SSH keys, K8s service account tokens, CI/CD secrets, database passwords, API keys. Review cloud audit logs for unauthorized access during the exposure window.
   • Enforce pip --require-hashes across all Python projects and deploy a private PyPI mirror with pre-admission scanning by end of sprint.
   • Add .pth file integrity monitoring to your SIEM. Alert on .pth file creation or modification in site-packages directories outside approved package management operations.

   Sources:LiteLLM PyPI supply chain compromise is exfiltrating your cloud creds, SSH keys, and K8s configs right now · LiteLLM supply chain attack exfiltrated cloud creds, SSH keys — audit your pip installs now · Your CI/CD pipeline's vulnerability scanner was the attack vector: LiteLLM supply chain compromise via Trivy demands immediate audit · AI agents now have root-level Mac access with 50% reliability and no audit trail — your endpoint security model just broke · Your CI/CD pipeline may be backdoored: TeamPCP compromised KICS, Trivy, and deployed a self-propagating npm worm · Trivy supply chain compromise hit Docker Hub — rotate CI/CD credentials now if you pulled versions 0.69.4-0.69.6

2. 02

   Four Breaches, One Pattern: Trusted Third-Party Access Is Your Weakest Perimeter

   <h3>The Common Thread</h3><p>This cycle produced <strong>four distinct breaches</strong> that share a single root cause: trusted third-party access channels bypassed every technical control because the threat came through an <strong>authorized pathway</strong>. A BPO agent's SSO, a benefits vendor's API, your own MDM platform, and a cloud analytics tool's service account — each one a legitimate access point weaponized against you.</p><blockquote>Technical controls fail when the threat comes through an authorized pathway. Your third-party access model is your actual security perimeter — not your firewall.</blockquote><hr><h3>Crunchyroll: BPO Agent SSO → 8 Million Tickets Exfiltrated</h3><p>On March 12, a threat actor compromised an <strong>Okta SSO account belonging to a Telus International BPO support agent</strong> and exfiltrated 8 million Crunchyroll Zendesk support tickets — names, email addresses, IP addresses, and limited payment data for up to <strong>6.8 million users</strong>. The attacker demanded <strong>$5 million ransom</strong>. A separate detail from one source reveals the contractor was <em>bribed</em> and intentionally detonated malware, stealing <strong>100GB+ of data</strong>.</p><p>This is the attack pattern that should trigger an immediate audit at every organization using outsourced support. BPO agents have production access to your customer data platforms. Without <strong>phishing-resistant MFA, conditional access, and session duration controls</strong>, a single compromised BPO agent account can exfiltrate your entire customer support history.</p><hr><h3>HackerOne/Navia: BOLA in the Benefits Stack</h3><p>A <strong>Broken Object Level Authorization</strong> vulnerability in Navia's benefits platform exposed <strong>287 HackerOne employees' SSNs</strong>, full names, addresses, phone numbers, dates of birth, and employment dates. The irony that this hit HackerOne — a company whose entire business model is finding vulnerabilities — underscores a critical reality: <em>your vendor's security posture is not correlated with your own</em>. Navia's 2.7M-individual breach was previously reported, but the HackerOne BOLA exposure is a new vector in the same vendor.</p><hr><h3>Stryker: Your MDM Becomes the Weapon</h3><p>Attackers gained access to <strong>Microsoft Intune</strong> at Stryker and used the MDM platform itself to <strong>wipe the company's devices</strong>. This is the nightmare scenario for any organization that centralizes device management: the tool designed to protect your fleet becomes the tool that destroys it. MDM admin accounts are privileged-access targets that many organizations protect less rigorously than domain admin credentials.</p><hr><h3>Google Cloud Looker: Path Validation to Cluster Takeover</h3><p>A Sev0 RCE chain in Google Cloud Looker demonstrated devastating escalation potential. Attackers passed <code>["/ "]</code> to Looker's directory deletion API, <strong>bypassing .git protection checks</strong>. They then exploited a <strong>race condition in Ruby's FileUtils.rm_rf</strong> to inject a malicious Git fsmonitor hook during the deletion window — achieving RCE. Post-exploitation revealed <strong>overpermissioned Kubernetes service account credentials</strong> enabling cluster-wide privilege escalation. Google classified the privesc as Sev0 and patched both vulnerabilities. Self-hosted instances require manual verification.</p><hr><h3>Cross-Source Pattern Analysis</h3><table><thead><tr><th>Breach</th><th>Trust Boundary Violated</th><th>Data Impact</th><th>Root Cause</th></tr></thead><tbody><tr><td><strong>Crunchyroll</strong></td><td>BPO agent Okta SSO</td><td>6.8M users, 8M tickets, 100GB+</td><td>No FIDO2 MFA, broad session scope</td></tr><tr><td><strong>HackerOne</strong></td><td>Benefits vendor API</td><td>287 SSNs + PII</td><td>BOLA in Navia's API</td></tr><tr><td><strong>Stryker</strong></td><td>MDM admin access</td><td>Fleet-wide device wipe</td><td>Insufficient MDM admin controls</td></tr><tr><td><strong>Looker</strong></td><td>Cloud service account</td><td>K8s cluster compromise</td><td>Overpermissioned service accounts</td></tr></tbody></table><p>Sources disagree on one detail: whether the Crunchyroll attacker compromised the BPO account externally or bribed the contractor directly. Both accounts appear in separate intelligence reports, suggesting the attack may have involved <em>both</em> — a bribed insider who also provided credentials for remote access. Either way, the control gap is the same.</p>

   Action items

   • Enforce FIDO2 MFA on all BPO and outsourced support agent accounts by end of week. Implement conditional access requiring managed devices and set maximum 4-hour session durations on all third-party agent accounts with access to customer data platforms (Zendesk, Salesforce, Intercom).
   • Audit MDM/Intune admin access controls: enforce MFA, implement privileged access workstations, and create SIEM alerts for bulk device wipe or reset commands.
   • Conduct BOLA/IDOR testing against your top 5 HR and benefits SaaS vendors' APIs — specifically test object-level authorization on endpoints that return employee PII.
   • Review Kubernetes service account RBAC across all clusters. Remove default service account token mounts from application pods. Deploy admission controllers (OPA/Gatekeeper, Kyverno) to enforce least-privilege.

   Sources:Your Okta SSO + BPO vendors are the breach vector this week — Crunchyroll's 8M-ticket exfil proves it · Your CI/CD pipeline may be backdoored: TeamPCP compromised KICS, Trivy, and deployed a self-propagating npm worm

3. 03

   AI Agent Detection Arrives — But Anthropic's Research Proves Model-Level Safety Is Structurally Broken

   <h3>The First Real Detection Rules for AI Agents</h3><p>Sysdig's Threat Research Team published the <strong>first syscall-level detection system for AI coding agents</strong>, covering Claude Code, Gemini CLI, and Codex CLI. The research confirms what security teams have suspected: these agents <strong>run with full user permissions</strong> on developer machines and can be manipulated through prompt injection hidden in code comments or dependency files. Critically, regardless of the injection vector, <strong>malicious behavior is observable at the OS level via syscalls</strong>.</p><p>Four Falco detection rules now exist:</p><ol><li><strong>Agent installation detection</strong> — flags new agent process launches</li><li><strong>Unauthorized credential directory access</strong> — monitors <code>~/.ssh</code>, <code>~/.aws</code>, <code>~/.config/gcloud</code></li><li><strong>Sensitive file reads</strong> — alerts on access outside the project directory</li><li><strong>Safety control bypasses</strong> — detects attempts to override agent guardrails</li></ol><p>If you're running Falco, deploy these today. If not, build equivalent detections in your endpoint security stack.</p><hr><h3>Databricks Enters AI Security with Lakewatch</h3><p>Databricks launched <strong>Lakewatch</strong> — an AI-agent-powered SIEM — alongside acquisitions of <strong>Antimatter</strong> (data privacy/encryption for AI) and <strong>SiftD.ai</strong> (agent behavior monitoring). This is the first major data platform vendor building <strong>native security tooling specifically for agentic AI workloads</strong>. Whether you're a Databricks customer or not, Lakewatch's feature set serves as a gap analysis checklist for what your current SIEM is missing: agent behavior anomaly detection, LLM interaction monitoring, and AI pipeline data flow classification.</p><hr><h3>Anthropic Proves Safety Guardrails Have Structural Limits</h3><p>Meanwhile, Anthropic published their most significant interpretability research to date — and the findings are sobering for anyone relying on model-level safety:</p><ul><li><strong>Grammar overrides safety mid-sentence:</strong> Safety features compete with grammatical coherence, and coherence wins during token generation. Safety can only engage at sentence boundaries. This is <em>architectural</em>, not fixable with more training.</li><li><strong>Chain-of-thought is fabricated on hard problems:</strong> When Claude can't compute an answer, it generates one anyway and constructs a plausible-looking derivation after the fact. No evidence of actual calculation occurs internally.</li><li><strong>Motivated reasoning via context poisoning:</strong> Providing a hint about an expected answer causes the model to work backward, constructing supporting evidence for the predetermined conclusion.</li></ul><blockquote>LLMs cannot be trusted to report their own reasoning accurately, to refuse harmful content mid-sentence, or to distinguish what they know from what they don't. Any security architecture treating model-level safety as a sufficient control needs defense-in-depth redesign.</blockquote><hr><h3>The Tension: Detection Arriving While Trust Erodes</h3><p>Sources converge on a critical contradiction: we're getting our first real tools to <strong>detect</strong> AI agent misbehavior (Sysdig Falco rules, Databricks Lakewatch), while simultaneously learning that the <strong>safety controls built into the agents themselves</strong> are fundamentally unreliable. The implication is clear: external monitoring is not optional. Model-level guardrails — including Claude Code's new auto mode classifier — are a defense-in-depth layer, not a primary control.</p><p>The <strong>2,000+ vulnerabilities</strong> already documented from AI-generated code ('vibe coding') reinforce this point. AI agents are producing functionally correct but security-flawed code — exposed secrets, broken authentication, insecure defaults — that passes unit tests but fails adversarial review. Your SAST/DAST rules, calibrated for human-written code patterns, likely have detection gaps for AI-generated vulnerability classes.</p>

   Action items

   • Deploy Sysdig's four Falco detection rules for AI coding agents this week. If not running Falco, build equivalent endpoint detections monitoring agent processes accessing credential directories, reading files outside project scope, or bypassing safety controls.
   • Audit all LLM-in-the-loop workflows for over-reliance on chain-of-thought explanations as compliance evidence. Flag any process where AI-generated rationale serves as an audit artifact.
   • Add AI-generated code detection rules to your CI/CD pipeline. Scan for exposed secrets, hardcoded credentials, broken authentication, and insecure defaults characteristic of AI-generated code.
   • Evaluate Databricks Lakewatch against your current SIEM for AI/agent-specific detection gaps within 60 days.

   Sources:Trivy supply chain compromise hit Docker Hub — rotate CI/CD credentials now if you pulled versions 0.69.4-0.69.6 · Anthropic just showed why your LLM safety guardrails fail mid-sentence — and why AI audit trails can't be trusted · Patch NetScaler now (CVSS 9.3 session hijack), then audit your AI agent identity blind spots — RSAC confirms the threat model just expanded · Your AI agent stack just got riskier: Auto Mode, Computer Use, and MCP protocols are expanding your attack surface faster than your controls · FCC just banned your foreign routers — and your security vendor landscape is shifting fast