Your AI Gateway was a Backdoor: Inside the LiteLLM Supply Chain Compromise

    Friday, March 27, 2026 In: Threat Research Print

    Date: 03/27/2026

    Severity: High

    Summary

    A supply chain attack compromised the LiteLLM AI proxy package on PyPI, with malicious versions delivering a multi-stage payload that harvested credentials, enabled Kubernetes lateral movement, and established persistent backdoor access for remote code execution. The campaign, attributed to the TeamPCP threat group, targeted sensitive data including cloud credentials and SSH keys, leveraging compromised CI/CD pipelines and security tools to distribute trojanized packages. This incident highlights the growing risk of software supply chain attacks impacting widely used AI and developer ecosystems.

    Indicators of Compromise (IOC) List

    Domains/Urls

    https://models.litellm.cloud/

    https://checkmarx.zone/raw

    scan.aquasecurtiy.org

    https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/

    plug-tab-protective-relay.trycloudflare.com

    souls-entire-defined-routes.trycloudflare.com

    investigation-launches-hearings-copying.trycloudflare.com

    championships-peoples-point-cassette.trycloudflare.com

    create-sensitivity-grad-sequence.trycloudflare.com

    IP Address

    46.151.182.203

    3.142.209.11

    45.148.10.212

    Hash

    2d94efc6d49e05b314a9da55804f6a0d57154b18

    e7587b990ae57319a6afedeba3b8873f6238206

    3af9a3c6983f6f18261a1c410541502d0f2bc864

    3fcc7360a2738ad2656e17c7d4ed3e651ff7d73a

    da466d3c630d6bfea0c5b82d6cad388e443dbe92

    78cd382040eda14e2f8a17ee7387cffdabe96ab5

    b20aa5b6c1f01117993287edad462cc49f588b39

    e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b

    61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba

    0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a

    c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926

    f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152

    7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7

    5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956

    822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0

    e64e152afe2c722d750f10259626f357cdea40420c5eedace37969fbf13abbecf

    0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349

    f69a8a4180c43fc427532ddde34a256acbd041a0a07844cf7e4d3e0434e5bcd1

    dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef

    File Names

    ~/.config/sysmon/sysmon.py

    /tmp/pglog

    /tmp/.pg_state

    Service Name

    sysmon.service

    Kubernetes Pod Name

    node-setup-*

    Archive Name

    tpcp.tar.gz

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    domainname like "plug-tab-protective-relay.trycloudflare.com" or siteurl like "plug-tab-protective-relay.trycloudflare.com" or url like "plug-tab-protective-relay.trycloudflare.com" or domainname like "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/" or siteurl like "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/" or url like "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/" or domainname like "scan.aquasecurtiy.org" or siteurl like "scan.aquasecurtiy.org" or url like "scan.aquasecurtiy.org" or domainname like "championships-peoples-point-cassette.trycloudflare.com" or siteurl like "championships-peoples-point-cassette.trycloudflare.com" or url like "championships-peoples-point-cassette.trycloudflare.com" or domainname like "https://checkmarx.zone/raw" or siteurl like "https://checkmarx.zone/raw" or url like "https://checkmarx.zone/raw" or domainname like "create-sensitivity-grad-sequence.trycloudflare.com" or siteurl like "create-sensitivity-grad-sequence.trycloudflare.com" or url like "create-sensitivity-grad-sequence.trycloudflare.com" or domainname like "investigation-launches-hearings-copying.trycloudflare.com" or siteurl like "investigation-launches-hearings-copying.trycloudflare.com" or url like "investigation-launches-hearings-copying.trycloudflare.com" or domainname like "https://models.litellm.cloud/" or siteurl like "https://models.litellm.cloud/" or url like "https://models.litellm.cloud/" or domainname like "souls-entire-defined-routes.trycloudflare.com" or siteurl like "souls-entire-defined-routes.trycloudflare.com" or url like "souls-entire-defined-routes.trycloudflare.com"

    Detection Query 2 :

    dstipaddress IN ("46.151.182.203","45.148.10.212","3.142.209.11") or srcipaddress IN ("46.151.182.203","45.148.10.212","3.142.209.11")

    Detection Query 3 :

    sha1hash IN ("78cd382040eda14e2f8a17ee7387cffdabe96ab5","2d94efc6d49e05b314a9da55804f6a0d57154b18","b20aa5b6c1f01117993287edad462cc49f588b39","3fcc7360a2738ad2656e17c7d4ed3e651ff7d73a")

    Detection Query 4 :

    sha256hash IN ("61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba","f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152","0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a","822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0","7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7","e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b","c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926","5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956","e64e152afe2c722d750f10259626f357cdea40420c5eedace37969fbf13abbecf","0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349","f69a8a4180c43fc427532ddde34a256acbd041a0a07844cf7e4d3e0434e5bcd1","dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef")

    Detection Query 5 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("~/.config/sysmon/sysmon.py","/tmp/pglog","/tmp/.pg_state")

    Detection Query 6 :

    technologygroup = "EDR" and objectname IN ("~/.config/sysmon/sysmon.py","/tmp/pglog","/tmp/.pg_state")

    Reference:

    https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html           


    Tags

    MalwareThreat ActorBackdoorSupply chain attackAIPythonCredential HarvestingTrojan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.