## What happened

Security researchers report that threat actor **TeamPCP** published compromised versions of the popular **LiteLLM** Python package to PyPI. The malicious releases were designed to steal credentials and establish persistence, with additional tooling aimed at Kubernetes environments.

## Why it matters

Supply-chain attacks on developer tooling can spread quickly because packages are pulled automatically via CI/CD and dependency managers. A single poisoned dependency can impact many downstream apps and environments, including production clusters.

## Key details (from reporting)

- Affected releases: **LiteLLM 1.82.7 and 1.82.8** (removed from PyPI after discovery).

- Reported capabilities include credential harvesting and post-compromise tooling that can assist lateral movement in Kubernetes.

- The incident is part of a broader TeamPCP campaign that has targeted CI/CD components and security tooling.

## What to do now (practical steps)

1. **Identify exposure**: search lockfiles/build logs for LiteLLM 1.82.7/1.82.8.

2. **Pin and upgrade**: move to a known-good version and pin dependencies.

3. **Rotate secrets**: treat CI secrets, cloud keys, and kubeconfigs used during installs as potentially exposed.

4. **Audit CI/CD**: review recent pipeline runs, outbound connections, and unusual systemd services on build agents.

5. **Harden supply chain**: enable dependency allowlists, artifact integrity checks, and SBOM scanning for builds.

## Local takeaway

If your team uses Python packages in production, this is a reminder to enforce strict version pinning and to isolate build agents—especially for AI/LLM gateways that often hold API keys and customer data.