TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise

John Rainier Navato · 2026-03-26 · Read original ↗

ATT&CK techniques detected

25 predictions
T1195.001Compromise Software Dependencies and Development Tools
98%
“##s, each expanding the campaign ' s reach : - npm ( march 20 ) : less than 24 hours after the trivy compromise, teampcp deployed a self - propagating worm — dubbed canisterworm by aikido researchers — across the npm ecosystem. the worm stole npm tokens from compromised runners, …”
T1552.004Private Keys
98%
“. - credential harvesting : the payload swept the system for ssh keys, aws / gcp / azure iam credentials, kubernetes configs, docker registry tokens, npm auth tokens, hashicorp vault tokens, wireguard private keys, cryptocurrency wallets ( bitcoin, ethereum, solana, exodus, elect…”
T1195.001Compromise Software Dependencies and Development Tools
95%
“, configuration files, and runner memory. when a scanner is compromised, it becomes a credential harvesting platform with legitimate access to secrets. in late february 2026, an actor operating under the handle megagame10418 exploited a misconfigured pull _ request _ target workf…”
T1195.001Compromise Software Dependencies and Development Tools
95%
“point. our analysis began with a single seed ioc, ip address 83. 142. 209. 11, and expanded through five systematic enrichment pivots over 50 minutes, consuming 34 virustotal api calls. what emerged was not a single - package compromise but a coordinated, multi - ecosystem supply…”
T1195.001Compromise Software Dependencies and Development Tools
88%
“code extensions were also published to the openvsx marketplace. the payload used a new c & c domain ( checkmarx [. ] zone ) but contained the same rsa - 4096 public key and tpcp. tar. gz exfiltration naming as the trivy payload, confirming shared infrastructure. - docker hub ( ma…”
T1059.006Python
87%
“. mapping cloud exposure and risk score surfaces these issues and allows you to respond before a potential leak is exploited. trendai vision one™ code security and trendai vision one™ container security catches malicious payloads before it detonates by scanning your container ima…”
T1552.004Private Keys
87%
“ansible configs - tls / ssl private keys, shell history, / etc / shadow system reconnaissance and ssh key and configuration theft the collector begins by establishing helper functions for file reading and command execution, then immediately runs system identification commands. th…”
T1195.002Compromise Software Supply Chain
83%
“, configuration files, and runner memory. when a scanner is compromised, it becomes a credential harvesting platform with legitimate access to secrets. in late february 2026, an actor operating under the handle megagame10418 exploited a misconfigured pull _ request _ target workf…”
T1195.001Compromise Software Dependencies and Development Tools
79%
“and exfiltrated via https post to models [. ] litellm [. ] cloud, a domain registered just one day before the attack. a separate persistent backdoor polls checkmarx [. ] zone every 50 minutes for second - stage payloads, abusing the trusted checkmarx brand name to bypass dns allo…”
T1059.006Python
76%
“with executable permissions ( chmod 755 ), executes it as a detached process ( start _ new _ session = true ), and finally records the url in / tmp /. pg _ state to prevent re - download. this constitutes a remote code execution ( rce ) backdoor. the attacker can push arbitrary e…”
T1195.001Compromise Software Dependencies and Development Tools
74%
“your ai gateway was a backdoor : inside the litellm supply chain compromise artificial intelligence ( ai ) your ai gateway was a backdoor : inside the litellm supply chain compromise teampcp orchestrated one of the most sophisticated multi - ecosystem supply chain campaigns publi…”
T1195.001Compromise Software Dependencies and Development Tools
73%
“security tools are compromised, everything downstream is exposed. structural defenses - enforce ‘ npm install - - ignore - scripts ’ in ci / cd pipelines unless postinstall scripts are explicitly reviewed. - monitor for unexpected ‘. pth ’ file creation in python site - packages,…”
T1552.007Container API
71%
“and v2 token mechanisms. when aws credentials are found in environment variables, the script makes authenticated aws sigv4 api calls to steal secrets from aws secrets manager and ssm parameter store. the full sigv4 signing implementation is embedded in the script. it then queries…”
T1195.001Compromise Software Dependencies and Development Tools
69%
“memory for secrets, harvested cloud credentials and ssh keys from the filesystem, encrypted the bundle using aes - 256 - cbc with an rsa - 4096 public key, and exfiltrated it to a typosquatted domain ( scan [. ] aquasecurtiy [. ] org, resolving to 45 [. ] 148 [. ] 10 [. ] 212 ). …”
T1552.004Private Keys
68%
“token queries, and — notably — authenticated sigv4 api calls to aws secrets manager ( listsecrets, getsecretvalue ) and ssm parameter store ( describeparameters ). the full sigv4 signing implementation is embedded in the script ( t1552. 005 — cloud instance metadata api ) - gcp a…”
T1195.001Compromise Software Dependencies and Development Tools
64%
“8 through 3. 13 now skip hidden. pth files, which reduces some risk. although the broader proposal to deprecate or remove. pth code execution entirely ( issue # 78125 ) remains unresolved, these partial mitigations demonstrate ongoing efforts within the cpython community to balan…”
T1195.001Compromise Software Dependencies and Development Tools
64%
“: immediate actions - check for ` litellm _ init. pth ` in any python site - packages directory. if present, assume full credential compromise. - rotate all credentials that were present as environment variables or in config files on any system where litellm 1. 82. 7 or 1. 82. 8 …”
T1059.006Python
62%
“- layer base64 encoded python script. each layer is decoded and executed at runtime, creating a chain of in - memory payloads that never touch disk as standalone files. table 1. the multi - layer malware architecture a technical analysis of how the litellm attack worked the pypi …”
T1587Develop Capabilities
57%
“##s, each expanding the campaign ' s reach : - npm ( march 20 ) : less than 24 hours after the trivy compromise, teampcp deployed a self - propagating worm — dubbed canisterworm by aikido researchers — across the npm ecosystem. the worm stole npm tokens from compromised runners, …”
T1195.001Compromise Software Dependencies and Development Tools
51%
“rapidly for stealth and persistence. - teampcp has previously compromised security tools like trivy and checkmarx kics to steal credentials and propagate malicious payloads. attackers leveraged compromised ci / cd pipelines and security scanners to escalate privileges and publish…”
T1195.001Compromise Software Dependencies and Development Tools
43%
“own coding error became the kill chain ' s weakest link. a security researcher opened github issue # 24512 against berriai ' s litellm repository with a simple, devastating subject line : " critical : malicious litellm _ init. pth in litellm 1. 82. 8 pypi package, credential stea…”
T1552.007Container API
42%
“- wide lateral movement this is the most destructive behavior. the script enumerates all k8s nodes, then for each node, creates a privileged pod in the kube - system namespace with the host filesystem mounted. the pod writes the persistence backdoor ( discussed later on ) to the …”
T1610Deploy Container
39%
“- wide lateral movement this is the most destructive behavior. the script enumerates all k8s nodes, then for each node, creates a privileged pod in the kube - system namespace with the host filesystem mounted. the pod writes the persistence backdoor ( discussed later on ) to the …”
T1195.002Compromise Software Supply Chain
38%
“rapidly for stealth and persistence. - teampcp has previously compromised security tools like trivy and checkmarx kics to steal credentials and propagate malicious payloads. attackers leveraged compromised ci / cd pipelines and security scanners to escalate privileges and publish…”
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
33%
“to do this, it first generates a random 32 - byte aes session key using openssl rand. then, it encrypts the collected data with aes - 256 - cbc + pbkdf2 key derivation using the session key. it then encrypts the session key with the embedded rsa - 4096 public key using oaep paddi…”

Summary

TeamPCP orchestrated one of the most sophisticated multi-ecosystem supply chain campaigns publicly documented to date. It cascaded through developer tooling and compromised LiteLLM and exposed how AI proxy services that concentrate API keys and cloud credentials become high-value collateral when supply chain attacks compromise upstream dependencies.