Backdoored LiteLLM 1.82.7–1.82.8: TeamPCP supply-chain cyber attack lets attackers steal creds and persist in Kubernetes
What happened
Researchers report that TeamPCP backdoored LiteLLM versions 1.82.7 and 1.82.8, and that the malicious builds were likely introduced via a compromise of the Trivy CI/CD process. The injected code reportedly contains tools to steal credentials, move inside Kubernetes clusters and maintain persistent access.
Who was affected has not been exhaustively disclosed, beyond downstream users of the compromised LiteLLM builds. The exact discovery timeline and full scope have not been disclosed in the report used here, so organisations should assume any use of those specific LiteLLM versions is suspect until proven clean.
Why this matters to businesses
Because LiteLLM is a developer-facing component, a poisoned release becomes a trusted conduit into build systems, developer machines, CI pipelines and production Kubernetes clusters. That means customers, partners and cloud workloads are at risk if credentials or service tokens were harvested.
The commercial impacts are straightforward: unexpected downtime to rebuild environments, hidden forensic costs, pulled contracts and regulatory scrutiny if sensitive data was exposed. And yes, this is one of those supplier blind spots, the sort of thing you put on the future list and then forget until it bites.
If you’ve got the same weakness, here’s what happens next
Stolen credentials get replayed, quietly. Attackers who can run inside containers or control service accounts can move laterally to other services, escalate privileges and hide until a routine change or audit triggers detection.
Recovery usually isn’t simple. Expect rebuilds rather than quick patches, credential rotation across multiple systems, and weeks of log trawling to prove a cluster is clean. It’s like finding a skeleton key in your software supply chain, you can’t just replace the locks and walk away.
What to do on Monday morning
-
Inventory: identify every build, environment and container image that pulled LiteLLM 1.82.7 or 1.82.8 and mark them as suspect.
-
Isolate and block: remove those images from registries, block the versions in your software bill of materials and prevent further deployments.
-
Rotate credentials: rotate service account keys, API tokens and any secrets accessible to affected workloads, starting with CI/CD and Kubernetes service accounts.
-
Validate CI/CD integrity: review Trivy and other pipeline tooling for compromised runners, stolen tokens and unauthorised changes to build scripts.
-
Rebuild where needed: prefer rebuilt images from clean sources over in-place fixes, and redeploy to clean namespaces or clusters after verification.
-
Hunt and monitor: query logs for unexpected image pulls, suspicious kubelet activity and unusual secret reads, and raise detection sensitivity on endpoint and container telemetry.
-
Supplier action: ask your vendors for SBOMs, proof of build provenance and a statement on whether they used the affected LiteLLM builds.
Where ISO standards fit, without the sales pitch
An ISO 27001-aligned management system makes you do the boring but useful things that stop this sort of attack spreading, like supplier risk assessments, change control and defined responsibilities for CI/CD, build artefacts and secrets (see Synergos on ISO 27001 for a practical framing).
Baseline technical controls and certification frameworks such as IASME help with secure configuration, patching and verifiable controls across small and medium suppliers, which is where many supply-chain risks live (IASME guidance).
When recovery and continuity are on the table, a business continuity plan aligned with ISO 22301 will speed decisions and reduce firefighting time, because you’ll already have a tested escalation path and recovery priorities (ISO 22301 BCMS).
Put simply, standards won’t stop a clever attacker every time, but they make the blast radius smaller and the response faster.
Act quickly, and assume compromise until you can prove otherwise.