TeamPCP Backdoors LiteLLM Versions 1.82.7-1.82.8 via Trivy CI/CD Compromise

TeamPCP Plants a Backdoor Inside LiteLLM Through CI/CD Poisoning

A threat actor operating under the handle TeamPCP successfully backdoored LiteLLM versions 1.82.7 and 1.82.8 by compromising the project's CI/CD pipeline through a tampered Trivy integration. If you are running either of those versions in production, treat your environment as compromised until proven otherwise.

What Happened

LiteLLM is a popular open-source proxy library used by developers to interface with dozens of LLM APIs - OpenAI, Anthropic, Cohere, you name it. Its widespread adoption in AI-heavy stacks made it a high-value target.

Here is the attack chain as understood:

• Trivy, the open-source vulnerability scanner commonly embedded in CI/CD pipelines, was the entry point
• TeamPCP manipulated a Trivy dependency or configuration within LiteLLM's build workflow
• This allowed malicious code to be injected silently into the published package artifacts for versions 1.82.7 and 1.82.8
• The backdoor rode the automated release pipeline straight into the official distribution without triggering standard review gates

This is a textbook CI/CD supply chain attack - not a zero-day in LiteLLM's application code, but a compromise of the trust layer that builds and ships it.

Why This Is a Big Deal

Any developer or organization that pulled litellm==1.82.7 or litellm==1.82.8 via pip is potentially running attacker-controlled code inside their LLM gateway. That means:

• API keys and model credentials are at risk
• Proxied requests to LLM providers could be intercepted or exfiltrated
• Internal network access could be exposed depending on deployment context

How to Protect Yourself Right Now

• Immediately pin or downgrade to a known-safe version (1.82.6 or earlier until a clean release is confirmed)
• Audit your pipeline tools - Trivy and similar scanners have privileged access; treat them like production code
• Verify package checksums against official releases before deploying
• Rotate all API keys and secrets that were accessible to the LiteLLM process
• Review CI/CD permissions - scanners and build tools should operate with least-privilege, never write access to release artifacts
• Enable dependency pinning with hash verification in your requirements.txt or pyproject.toml

Harden Your Supply Chain

The LiteLLM incident is a reminder that the weakest link in modern software delivery is often not your application code - it is the automated scaffolding around it. Your scanner, your linter, your test runner - all of them are potential pivot points if left unsecured.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.