"The payload is a three-stage attack: a credential harvester sweeping SSH keys, cloud credentials, Kubernetes secrets, cryptocurrency wallets, and .env files; a Kubernetes lateral movement toolkit deploying privileged pods to every node; and a persistent systemd backdoor (sysmon.service) polling 'checkmarx[.]zone/raw' for additional binaries."
"In the case of 1.82.7, the malicious code is embedded in the 'litellm/proxy/proxy_server.py' file, with the injection performed during or after the wheel build process. The code is engineered to be executed at module import time."
"The next iteration of the package adds a 'more aggressive vector' by incorporating a malicious 'litellm_init.pth' at the wheel root, causing the logic to be executed automatically on every Python process startup in the environment."
TeamPCP has compromised the litellm Python package, releasing malicious versions 1.82.7 and 1.82.8. These versions contain a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. The attack is structured in three stages, targeting sensitive data and deploying privileged pods. The malicious code is embedded in specific files, executing automatically upon import or startup. The payload exfiltrates data to a command-and-control domain. Both compromised versions have been removed from PyPI following their discovery by security vendors.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]