top of page
Buscar

The Python That Wraps Around Your Infrastructure

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 25 mar
  • 3 min de lectura

TeamPCP has escalated its supply chain campaign by compromising LiteLLM, a widely used Python package present in a significant portion of cloud environments. By abusing CI/CD workflows (notably Trivy), attackers injected malicious code into versions 1.82.7 and 1.82.8, transforming a trusted dependency into a multi-stage attack vector. Like a python, the malware does not strike immediately—it wraps, tightens, and expands, silently taking control of its environment.


Phase 1: Initial Access — The Hidden Bite 


The compromise originates in the CI/CD pipeline, where attackers leverage dependencies such as Trivy to inject malicious code during or after the build process.

Version 1.82.7 embeds the payload within a core file (proxy_server.py), ensuring execution at import time. This means any application importing LiteLLM triggers the malicious logic without user interaction.

The attack evolves in version 1.82.8, introducing a .pth file placed in site-packages, forcing execution at every Python interpreter startup. This drastically increases the attack surface, as any Python process in the environment becomes a trigger.


Phase 2: Execution & Expansion — The Coil Tightens 


Once activated, the payload launches a staged downloader chain. It checks for required dependencies (e.g., Node.js-like execution patterns via Python subprocesses) and spawns background processes to maintain stealth.

The malware communicates with command-and-control infrastructure, retrieving additional payloads dynamically. Execution is detached and persistent, allowing it to run silently without disrupting normal operations.

This stage ensures the malware is fully embedded within the environment, preparing for large-scale data collection and movement.


Phase 3: Data Harvesting & Lateral Movement 


The core payload acts as an orchestrator, deploying:

  • Credential Harvester: Extracts SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and environment variables (.env).

  • Kubernetes Lateral Toolkit: Uses service account tokens to enumerate cluster nodes and deploy privileged pods across all nodes. These pods access host file systems and propagate the attack.

Collected data is compressed into encrypted archives and exfiltrated to attacker-controlled domains via HTTPS, enabling further compromises.


Phase 4: Persistence & Ecosystem Spread 


To maintain control, the malware installs a systemd-based backdoor (sysmon.service) that periodically contacts attacker infrastructure for new payloads.

Persistence is reinforced across every node in Kubernetes clusters, ensuring resilience even if individual components are removed.

This campaign is not isolated—it spans multiple ecosystems (GitHub Actions, npm, Docker Hub, PyPI), creating a cascading “snowball effect” where each compromise feeds the next.

The collaboration with groups like LAPSUS$ further amplifies its impact, blending supply chain attacks with extortion-driven operations.


Measures to Fend Off 


  • Immediately remove LiteLLM versions 1.82.7 and 1.82.8

  • Rotate all credentials present in affected environments

  • Isolate compromised systems and audit for unauthorized changes

  • Inspect Kubernetes clusters for rogue or privileged pods

  • Monitor outbound traffic to suspicious domains (e.g., attacker C2 endpoints)

  • Remove persistence mechanisms such as rogue systemd services

  • Audit CI/CD pipelines and dependencies used during compromise windows

  • Implement strict supply chain security controls and dependency verification

  • Monitor machine identities and access scopes to limit lateral movement


Conclusions


This campaign underscores a dangerous evolution in supply chain attacks: the ability to weaponize trust at scale. By compromising widely used packages like LiteLLM, attackers gain access not just to individual systems, but to entire ecosystems.

The shift from isolated breaches to cascading compromises highlights a systemic risk. Each infected environment becomes a stepping stone, enabling attackers to expand horizontally across infrastructure, credentials, and organizations.


The python metaphor is not accidental. This malware does not rely on speed—it relies on control. It wraps around systems, extracts value, and moves silently until the entire environment is compromised.


In modern cloud-native architectures, where dependencies are deeply interconnected, the line between development convenience and systemic risk is thinner than ever.

This is not just a package compromise. It is a warning: in the software supply chain, a single trusted dependency can become the entry point to everything.



The Hacker News


 
 
 

Comentarios

bottom of page