What started as a poisoned Python package has evolved into something with far darker implications — a coordinated alliance between supply chain hackers, a resurgent dark web forum, and a ransomware operation that is handing out attack tools to anyone willing to use them.
The compromised LiteLLM versions were available on PyPI for approximately three hours before being pulled on March 24. But the fallout from those three hours is now expanding by the day.
TeamPCP claims to have exfiltrated data from over 500,000 infected systems, boasting to external security researchers that they pulled 300GB of credentials and secrets. Whether those numbers are inflated — dark web braggadocio frequently is — the volume of real-world damage is undeniable.
Brett Leatherman, FBI Assistant Director of the Cyber Division, wrote on LinkedIn that they are aware of organisations actively addressing the threat and warned that they expect an increase in breach disclosures, follow-on intrusions, and extortion attempts in the coming weeks.
As of March 24, Mandiant Consulting CTO Charles Carmakal stated they were aware of over 1,000 SaaS environments actively dealing with this threat actor — a figure he expected to grow considerably.
How the Domino Fell
This was not a fake package or a typo-squatted name. It was a compromise of the real litellm project on PyPI — the result of an ongoing supply chain campaign that had already moved through Trivy, npm, Aqua Security's internal GitHub, and Checkmarx.
The entry point was a February 28 exploit against Aqua Security's Trivy vulnerability scanner. An AI-powered autonomous attack tool named hackerbot-claw exploited a misconfigured pull_request_target GitHub Actions workflow in the Trivy repository to extract a personal access token with write access to all 33+ repositories in the Aqua Security GitHub organisation. Aqua patched the surface issue but failed to fully rotate its credentials — and that incomplete remediation handed TeamPCP a three-week window.
The compromise of the PyPI package was likely caused by the initial compromise of a GitHub account belonging to LiteLLM co-founder and CEO Krish Dholakia. Using the compromised maintainer account, the attackers closed GitHub issue #24512 as "not planned" and made commits to unrelated repositories with the message "teampcp update."
The payload itself was surgical. LiteLLM is an API key management gateway — the one package that, by definition, has access to every LLM API key in an organisation. Targeting it meant scooping up credentials for OpenAI, Anthropic, Google Vertex AI, and 100 other providers in a single sweep. The malware harvested SSH keys, cloud credentials, Kubernetes secrets, crypto wallets, CI/CD tokens, and shell histories — all encrypted and sent to an attacker-controlled domain before anyone noticed.
The Dark Web Escalation Nobody Expected
Then came the part that shifts this from a supply chain story into something potentially historic.
After the LiteLLM hack, TeamPCP, the dark web forum BreachForums (operating under the Breached brand), and ransomware operator Vect announced a major partnership — inviting forum members to collaborate, with all 300,000+ users set to receive a personal Vect ransomware affiliate key.
"Today marks a historic moment for the underground community," posted one of the forum owners using the alias "vect." The alliance was separately confirmed on TeamPCP's Telegram channel and by the forum's moderator, HasanBroker, who called Vect "one of the most sophisticated ransomware programs I have seen."
The model here is historically unusual. Traditional ransomware-as-a-service operations kept their affiliate rosters tight — LockBit, for instance, had only opened 73 affiliate accounts before its disruption. Vect's approach eliminates the trust model entirely, handing tools to anyone. Researchers describe it as a "Levée en masse" — a mass mobilisation replacing a professional operation with a crowd. The upside for attackers is scale; the downside is unpredictability. Victims could face multiple extortion attempts from independent affiliates with no guarantee that data will ever actually be deleted.
Separately, TeamPCP is also actively collaborating with LAPSUS$, the extortion group, to leverage stolen data against victim organisations — adding a direct ransom demand dimension on top of the credential theft. The group is also believed to have compromised NPM packages containing a Python backdoor and a self-propagating worm, and deployed a Kubernetes node wiper against targets in Iran.
TeamPCP functions as a cloud-native cybercrime platform that leverages misconfigured Docker and Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications as primary infection vectors. Their Telegram channel currently has over 700 members and regularly publishes stolen data from victims in the US, Canada, South Korea, Serbia, and the UAE.
What You Need to Do Right Now
If you run LiteLLM in any environment, the immediate priority is clear. Run pip show litellm | grep Version on every host, container, CI job, and developer machine. Version 1.82.8 is the higher-risk case — its malicious .pth file executes automatically when the Python interpreter starts, regardless of what the application imports. Even pip itself triggers it.
If you find 1.82.7 or 1.82.8, do not simply upgrade. The payload may have already run. Rotate every credential that was reachable from that environment — cloud provider keys, SSH keys, Kubernetes service account tokens, GitHub and npm tokens, database passwords, and any LLM provider API keys. Check for ~/.config/sysmon/sysmon.py, its corresponding systemd service, and look for node-setup-* pods in your Kubernetes kube-system namespace.
The Python Packaging Authority has issued an advisory urging that "any credentials available to the litellm environment may have been exposed, and should be revoked and rotated accordingly."
Version 1.82.6 is the last confirmed clean release. The attackers have already said they're not done. Take that at face value.