This report details a sophisticated supply chain compromise of LiteLLM, a popular proxy layer for LLM API calls, detected on March 24, 2026. The attack was initiated by an actor known as TeamPCP, who first compromised the Trivy security scanner to obtain PyPI credentials for LiteLLM. Once compromised, malicious versions of the package were distributed, targeting developers and AI infrastructure. Notably, the infection spread through traditional manual installs and autonomously via AI coding assistants like Claude Code running with unrestricted permissions.
The technical execution involved multi-stage payloads designed for data theft, including cryptocurrency wallets and cloud credentials. The malware established persistence using systemd services and attempted lateral movement within Kubernetes environments by creating privileged pods. SentinelOne’s Singularity Platform identified and blocked the threat autonomously across various customer environments by analyzing the behavioral patterns of the malicious Python processes rather than relying on static signatures.
This incident highlights a critical new attack surface: AI agents with excessive system permissions that can unknowingly facilitate supply chain attacks at machine speed. The speed of the attack underscores the necessity of behavioral-based autonomous defense to close the gap between exploit velocity and human-driven investigation capacity.
