TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Datadog Security Labs

LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP supply chain campaign

2026-03-24 · Read original ↗

ATT&CK techniques detected

17 predictions
T1195.001Compromise Software Dependencies and Development Tools
99%
“workflow injections took place into aquasecurity / tfsec, aquasecurity / traceeshark, and aquasecurity / trivy - action. by the end of the day, the campaign had already moved from one poisoned release to active reuse of a compromised identity across other repositories and workflo…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“##es activity, not just package presence. what happened on march 24 and march 27, the teampcp campaign reached pypi, compromising two popular, legitimate python packages : litellm, a widely used proxy layer for llm providers, and telnyx, a telephony sdk. these were not fake or ty…”
T1195.001Compromise Software Dependencies and Development Tools
98%
“, then roughly seven hours later the same access was used to deface aqua security ' s internal aquasec - com github organization. in total, 44 repositories were renamed, all with a tpcp - docs - prefix and the description " teampcp owns aqua security. " march 23 : the same patter…”
T1195.001Compromise Software Dependencies and Development Tools
95%
“_ init. pth, ~ /. config / sysmon / sysmon. py, ~ /. config / systemd / user / sysmon. service, / tmp / pglog, and / tmp /. pg _ state. in kubernetes, review audit logs for unusual secret access, privileged pod creation, or pod names matchingnode - setup - *. do not treat reverti…”
T1195.001Compromise Software Dependencies and Development Tools
90%
“method : ( get or list ) @ objectref. resource : secrets @ useragent : python - urllib * source : cloudtrail @ evt. name : ( getsecretvalue or listsecrets or describeparameters ) @ http. useragent : python - urllib * @ file. path : ( * litellm _ init. pth or * /. config / sysmon …”
T1195.001Compromise Software Dependencies and Development Tools
89%
“litellm and telnyx compromised on pypi : tracing the teampcp supply chain campaign key points and observations - on march 24, 2026, two pypi releases of litellm, 1. 82. 7 and1. 82. 8, were published with malicious code as a result of a supply chain compromise. pypi later quaranti…”
T1195.001Compromise Software Dependencies and Development Tools
88%
“bridge into the pypi compromises. by then, the attacker had already demonstrated a repeated pattern against github actions, package registries, and developer tooling in more than one vendor environment. march 24 : litellm is compromised on pypi litellm 1. 82. 7 and 1. 82. 8 were …”
T1195.001Compromise Software Dependencies and Development Tools
87%
“the malicious payload. at that point, the attacker was automating the next compromise and broadening the campaign. by march 22, the infrastructure behind the npm activity was also being used for something more aggressive. the same callback domain used in the npm worm was serving …”
T1195.001Compromise Software Dependencies and Development Tools
83%
“76 of 77 aquasecurity / trivy - action tags to malicious commits - replace all seven aquasecurity / setup - trivy tags. the v0. 69. 4 tag triggered trivy ' s standard release machinery, which then pushed the compromised build through ghcr, ecr public, docker hub, deb and rpm pack…”
T1195.002Compromise Software Supply Chain
62%
“, then roughly seven hours later the same access was used to deface aqua security ' s internal aquasec - com github organization. in total, 44 repositories were renamed, all with a tpcp - docs - prefix and the description " teampcp owns aqua security. " march 23 : the same patter…”
T1587Develop Capabilities
58%
“workflow injections took place into aquasecurity / tfsec, aquasecurity / traceeshark, and aquasecurity / trivy - action. by the end of the day, the campaign had already moved from one poisoned release to active reuse of a compromised identity across other repositories and workflo…”
T1567.001Exfiltration to Code Repository
39%
“76 of 77 aquasecurity / trivy - action tags to malicious commits - replace all seven aquasecurity / setup - trivy tags. the v0. 69. 4 tag triggered trivy ' s standard release machinery, which then pushed the compromised build through ghcr, ecr public, docker hub, deb and rpm pack…”
T1610Deploy Container
38%
“- filename : tpcp. tar. gz. - install persistence : the payload writes ~ /. config / sysmon / sysmon. py and installs a user systemd unit calledsysmon. service. - beacon for follow - on payloads : after this, the malware polls https : / / checkmarx [. ] zone / raw, downloads / tm…”
T1610Deploy Container
37%
“the malicious payload. at that point, the attacker was automating the next compromise and broadening the campaign. by march 22, the infrastructure behind the npm activity was also being used for something more aggressive. the same callback domain used in the npm worm was serving …”
T1195.002Compromise Software Supply Chain
37%
“76 of 77 aquasecurity / trivy - action tags to malicious commits - replace all seven aquasecurity / setup - trivy tags. the v0. 69. 4 tag triggered trivy ' s standard release machinery, which then pushed the compromised build through ghcr, ecr public, docker hub, deb and rpm pack…”
T1677Poisoned Pipeline Execution
37%
“, then roughly seven hours later the same access was used to deface aqua security ' s internal aquasec - com github organization. in total, 44 repositories were renamed, all with a tpcp - docs - prefix and the description " teampcp owns aqua security. " march 23 : the same patter…”
T1195.001Compromise Software Dependencies and Development Tools
35%
“- filename : tpcp. tar. gz. - install persistence : the payload writes ~ /. config / sysmon / sysmon. py and installs a user systemd unit calledsysmon. service. - beacon for follow - on payloads : after this, the malware polls https : / / checkmarx [. ] zone / raw, downloads / tm…”

Summary

On March 24 and 27, 2026, malicious PyPI releases of LiteLLM and Telnyx were published as part of the TeamPCP supply chain campaign. We trace the full campaign from Trivy through npm, Checkmarx, and into PyPI.