LiteLLM compromised on PyPI: Tracing the March 2026 TeamPCP supply chain campaign

Datadog Security Research reports a coordinated supply-chain campaign (TeamPCP) that, between March 19–24, 2026, compromised CI/CD credentials and published malicious package releases across ecosystems (PyPI, npm, GitHub Actions, OpenVSX). Notably, litellm 1.82.7 contained an injected malicious module and 1.82.8 included a startup .pth hook enabling automatic execution; the payload steals a wide range of secrets, encrypts them, exfiltrates to models.litellm.cloud, installs persistence, and can create privileged Kubernetes pods. The report lists affected packages, domains, filesystem and Kubernetes IOCs, and recommends treating any host or CI that installed the compromised versions as a full-credential exposure requiring credential rotation, artifact review, and host/container remediation.