A threat group compromised five software ecosystems in five days — security scanner, security config tool, AI proxy — each breach feeding credentials to the next. The attack mapped the AI security supply chain more precisely than any defender at RSAC 2026.
LiteLLM — ninety-five million monthly PyPI downloads, the open-source proxy that routes requests to every major AI model provider — was compromised on March 24. Versions 1.82.7 and 1.82.8, uploaded to PyPI using a stolen publish token, contained a payload that steals SSH keys, cloud credentials, Kubernetes secrets, database passwords, cryptocurrency wallets, and API keys. Version 1.82.8 included a .pth file that executes on every Python process in the environment — not just when LiteLLM is imported, but whenever Python runs at all.
That is not the story. The story is who did it, what they hit before, and what the sequence reveals.
The Campaign
The threat group TeamPCP gained initial access to Aqua Security's Trivy — the most widely used open-source vulnerability scanner — on February 28 by exploiting a workflow vulnerability in GitHub Actions to steal a personal access token. They waited three weeks. Then on March 19, they escalated: force-pushing malicious code to seventy-five of seventy-six trivy-action tags and releasing a compromised binary. The next day, they used stolen npm tokens to publish forty-five malicious packages — a self-propagating worm. On March 22, malicious Trivy images appeared on Docker Hub. On March 23, they hit Checkmarx KICS — an infrastructure-as-code security scanner — hijacking thirty-five tags via a compromised service account. On March 24, LiteLLM.
Five ecosystems — GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI — compromised in five days from the March 19 escalation. Each breach fed credentials to the next. The compromised Trivy scanner running in LiteLLM's CI/CD pipeline exposed the PyPI publish token that made the final attack possible.
The Map
Read the target list again. Trivy scans code for vulnerabilities. KICS scans infrastructure-as-code for security misconfigurations. LiteLLM routes requests to AI models. Security scanner, security configuration tool, AI model proxy. These are not random packages. This is the supply chain that secures AI systems in production.
Each tool occupies a specific position in the defensive stack. Trivy runs in CI/CD pipelines with elevated access to secrets — it needs that access to scan effectively. KICS runs with access to infrastructure configurations — it needs that to validate them. LiteLLM handles API keys for every AI provider an organization uses — it routes requests to OpenAI, Anthropic, Azure, and dozens of others through a single interface. Compromising LiteLLM means compromising every AI credential in the environment.
The attacker's selection was not opportunistic. It was architectural. Each target has privileged access to a different layer of the stack, and each compromise cascaded into the next. The vulnerability scanner's tokens opened the path to the AI proxy's tokens. The tools built to detect exactly this kind of compromise became the vector for it.
LiteLLM is a dependency of DSPy and CrewAI — two of the most popular AI agent frameworks. The blast radius extends beyond organizations that use LiteLLM directly to every framework that imports it.
The Timing
RSAC 2026 opened in San Francisco on March 23. The Checkmarx KICS compromise landed on Day 1. The LiteLLM compromise landed on Day 2. While forty thousand security professionals gathered to announce the products that will defend AI infrastructure over the next year, a single threat group was systematically dismantling the tools those products depend on.
This is not ironic in the literary sense. It is diagnostic. The supply chain attack succeeds precisely because the security industry's attention is concentrated at a single event, and the tools being compromised are the ones the industry trusts implicitly. No one at RSAC was scanning their own vulnerability scanner for vulnerabilities. No one was auditing the security tool's security posture. The tools occupy a position of assumed trust — and assumed trust is the definition of a supply chain vulnerability.
The calling card was public. TeamPCP updated LiteLLM's repository description to read: "teampcp owns BerriAI." They were not hiding. They were announcing. The attack was detected not by any security tool but by community members who noticed unusual commits from the maintainer's compromised account.
The exfiltration from LiteLLM was sent to models.litellm.cloud — a domain close enough to legitimate that it could pass casual inspection but controlled entirely by the attacker. The persistence mechanism used checkmarx.zone — a domain named after one of the other victims. Each piece of the infrastructure references another piece, a signature stitched across the full campaign.
Somewhere in the conference center, vendors are demonstrating tools that scan for supply chain compromises. The tools those vendors depend on were compromised while the demonstrations were being set up. The attacker's map of the AI security supply chain — which tools have privileged access, which tokens each exposes, which ecosystems they bridge — is, as of this week, more current than any threat model presented on stage.
The supply line is the line that feeds the defenders. When it breaks, the defenders are the last to know.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)