Supply Chain Attack: Malicious LiteLLM and Telnyx Packages Found on PyPI

The modern software development lifecycle relies on a foundation of implicit trust. We pull libraries from package managers, utilize third-party GitHub Actions to automate workflows, and rely on security scanners to tell us our infrastructure is safe. In the spring of 2026, that foundation of trust was systematically shattered. The threat actor group identified as “TeamPCP”—also tracked under monikers such as “DeadCatx3,” “PCPcat,” and “ShellForce”—orchestrated a sophisticated, multi-ecosystem supply chain attack that transformed trusted security tools into weapons for widespread credential harvesting.

The Anatomy of a Cascading Compromise

The campaign, which gained significant momentum in March 2026, illustrates a terrifying shift in adversary tactics: the move from merely targeting applications to compromising the very tooling used to secure them. The campaign began not with a sophisticated zero-day in a target’s codebase, but with the exploitation of a misconfigured pull_request_target workflow in the open-source vulnerability scanner Trivy, maintained by Aqua Security. This initial breach in late February 2026 allowed the attackers to exfiltrate a high-privilege Personal Access Token (PAT) belonging to the “aqua-bot” service account. Because remediation was incomplete, the attackers retained access, setting the stage for a catastrophic cascading failure.

On March 19, 2026, the group leveraged this persistent access to force-push malicious code into 75 of 76 version tags within the aquasecurity/trivy-action repository. By poisoning these tags, TeamPCP ensured that any CI/CD pipeline relying on the official Trivy action would automatically execute their malicious payload. This payload was designed to be highly invasive, performing the following actions during routine automated workflows:

• Scraping memory from the runner’s worker process to extract environment variables and secrets.
• Harvesting cloud credentials, including AWS IAM keys and GCP service account tokens.
• Exfiltrating SSH keys and Kubernetes configuration files to attacker-controlled domains.
• Planting persistent backdoors on self-hosted runners to ensure long-term access.

Weaponizing the Ecosystem: LiteLLM and Telnyx

The compromise of Trivy served as the primary propagation vector for the rest of the campaign. Having harvested a massive haul of CI/CD secrets and API keys, the attackers moved laterally into other ecosystems. By late March, the campaign expanded to the Python Package Index (PyPI), specifically targeting popular libraries such as LiteLLM and the Telnyx Python SDK.

The LiteLLM Breach

On March 24, 2026, TeamPCP utilized PyPI publishing tokens obtained during the Trivy compromise to push malicious versions (specifically 1.82.7 and 1.82.8) of LiteLLM to PyPI. Because LiteLLM is widely used as an AI gateway, it acts as a central point for managing API keys and cloud credentials. By infecting this package, the attackers gained immediate access to the production credentials of thousands of organizations that relied on LiteLLM to interface with AI models. The malware in this instance utilized a highly evasive technique: the insertion of a .pth file named litellm_init.pth. When the Python interpreter starts, it automatically processes .pth files, executing the malicious payload before the application code even initializes.

The Telnyx SDK Infection

Following the LiteLLM attack, Telnyx was targeted with a similarly malicious release. In this iteration, the attackers employed steganography to hide their payload. The malicious code within the package was designed to download external data disguised as a .wav audio file, which was then decoded and executed on the host machine. This multi-stage approach, combining obfuscation with stealthy execution, made the package extremely difficult for static analysis tools to flag as suspicious.

The Structural Failure of Implicit Trust

The TeamPCP campaign is not merely a story of stolen passwords; it is an indictment of the “trust-by-default” model that pervades modern DevOps. Organizations fell victim to this supply chain attack because they assumed that because a component was “official” or widely used, it was inherently secure.

Key Vulnerabilities Exposed

1. Mutable Version Tags: The use of mutable tags (e.g., @v0.x.x) in GitHub Actions allowed attackers to overwrite trusted references with malicious commits without alerting downstream consumers.
2. Lack of Integrity Verification: Most organizations failed to pin their dependencies to specific, immutable commit SHAs or cryptographic hashes, making them vulnerable to “silent” updates of poisoned packages.
3. Over-Permissioned CI/CD Runners: The pipelines executing these tools were granted broad access to cloud environments, allowing the malware to exfiltrate not just CI/CD secrets, but production-level cloud credentials and infrastructure configurations.

As industry experts, including those from Wiz and Palo Alto Networks, have noted, security scanners are uniquely dangerous targets. By design, they require deep, privileged access to environments. When they are weaponized, they become perfect instruments for harvesting the very keys needed to unlock the remainder of the corporate infrastructure.

Mitigation: Moving Toward Verified Trust

The fallout from this campaign underscores the urgent need for a shift in how engineering teams approach software supply chain security. Mitigation must move beyond relying on third-party security scanners to verify your environment; you must also verify the scanners themselves.

Immediate Remediation Steps:

• Pinning Dependencies: Move immediately from mutable version tags to immutable, verified commit SHAs for all GitHub Actions and third-party tools.
• Credential Rotation: Any pipeline that invoked the compromised versions of Trivy, LiteLLM, or Telnyx during the exposure window must be considered fully compromised. All associated secrets, SSH keys, and cloud IAM credentials must be revoked and rotated.
• Secrets Scanning: Implement proactive secrets scanning within your CI/CD pipelines. Never rely on the assumption that your environment variables are private; ensure that no secret can be exfiltrated by a malicious process running within the runner’s context.
• Least Privilege: Enforce strict role-based access control (RBAC) on CI/CD runners. If a build process does not strictly require access to production cloud environments, ensure it is isolated in a sandboxed environment with no lateral network access.

The 2026 TeamPCP campaign should serve as a wake-up call. Supply chain attacks have evolved from simple dependency confusion to complex, worm-like propagations that exploit the very automation that modern engineering depends on. By prioritizing verification over assumption and adopting a “zero-trust” approach to third-party tools, organizations can begin to harden their pipelines against an adversary that has proven it will stop at nothing to turn our own tools against us.