In a significant cybersecurity breach, the threat group TeamPCP has infiltrated popular Python package LiteLLM through compromised versions 1.82.7 and 1.82.8. This breach involved the deployment of a credential harvester, a toolkit for lateral movement in Kubernetes, and a persistent backdoor. The discovery, made by security firms Endor Labs and JFrog, highlights vulnerabilities in using Trivy within Continuous Integration and Continuous Deployment (CI/CD) workflows. These compromised versions have since been removed from PyPI.
Details of the LiteLLM Security Breach
The attack strategy involves a three-step payload. Initially, it harvests sensitive data such as SSH keys, cloud credentials, Kubernetes secrets, and cryptocurrency wallets. Following this, it employs a Kubernetes toolkit to deploy privileged pods across nodes, and finally, it installs a persistent systemd backdoor, polling for additional binaries from a remote server. Endor Labs researcher Kiran Raj noted the structure of this sophisticated attack.
Data retrieved is encrypted and sent to a command-and-control domain via HTTPS. In version 1.82.7, the malicious elements were incorporated into the proxy server file, executed upon module import. The subsequent version intensified the attack by embedding a .pth file at the package’s root, triggering execution at every Python process startup.
Enhanced Threats in Updated Versions
The 1.82.8 version introduced a more aggressive approach by employing a .pth launcher that initiates a Python subprocess, running malicious code in the background. According to Endor Labs, these .pth files in Python’s site-packages are automatically processed, making them a potent vector for attackers.
The payload’s ultimate goal is to manage a credential harvester and a persistence dropper, which exploits any available Kubernetes service account tokens to control all nodes within a cluster, further embedding itself as a systemd user service. This service seeks updates from a remote server every 50 minutes, with a kill switch mechanism that aborts if specific conditions are met.
Ongoing Supply Chain Attack Concerns
This incident is part of a broader, escalating series of attacks by TeamPCP, who have consistently targeted and compromised environments to gather credentials for further exploits. The group’s strategy includes a deliberate shift from CI/CD environments to live production systems, reflecting a significant escalation in their campaign.
TeamPCP has been openly communicating about their actions and intentions through various channels, indicating a sustained effort to disrupt and exploit security tools and developer infrastructures. They have warned of continued attacks on popular security tools and open-source projects.
Security experts recommend users audit their systems for the affected LiteLLM versions, isolate compromised hosts, and inspect Kubernetes clusters for unauthorized pods. Network logs should be reviewed for suspicious traffic, and any persistent backdoors should be removed. Additionally, CI/CD pipelines should be scrutinized for similar vulnerabilities, and all exposed credentials should be revoked and rotated.
Gal Nagli of Wiz highlighted the cascading nature of these attacks, drawing attention to the broader implications for the open-source supply chain. As one compromise leads to another, there’s a pressing need for enhanced vigilance and proactive security measures in the community.
