1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Top LLM PyPl package compromised to steal user details - here's w

    From TechnologyDaily@1337:1/100 to All on Wednesday, March 25, 2026 19:00:35
    Top LLM PyPl package compromised to steal user details - here's what we know

    Date:
    Wed, 25 Mar 2026 18:45:00 +0000

    Description:
    Aqua Securitys Trivy vulnerability scanner compromise is trickling down into
    a hugely popular Python package.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news
    and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are now subscribed Your newsletter sign-up was successful An account already exists for this email address, please log in. Subscribe to our newsletter Popular Python package LiteLLM compromised in supply chain attack Malicious updates (v1.82.7, v1.82.8) deployed TeamPCP Cloud Stealer infostealer Attack
    harvested cloud credentials, Kubernetes secrets, wallets; users urged to rotate tokens and revert to safe versions A hugely popular Python package called LiteLLM was compromised and used to deploy an infostealer malware to hundreds of thousands of devices.

    LiteLLM is a lightweight API layer that lets users call multiple AI models (like OpenAI, Anthropic, etc.) through one unified interface. It has more
    than 40,000 stars, and more than 30,000 commits. According to multiple security researchers, as well as the projects maintainers, threat actors calling themselves TeamPCP managed to break into the LiteLLM account and push two malicious updates: LiteLLM 1.82.7, and 1.82.8. Article continues below
    You may like Python libraries used in top AI and ML tools hacked - Nvidia, Salesforce and other libraries all at risk OpenClaw AI agents targeted by infostealer malware for the first time This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know Stealing secrets The exact number of people who downloaded this update is not known (and will probably never be), but some sources claim it could be as
    many as 500,000.

    BleepingComputer reports the breach is a direct result of a previous compromise at Aqua Securitys Trivy vulnerability scanner, following similar attacks on Aqua Security Docker images, and the Checkmarx KICS project.

    Through the supply chain attack, TeamPCP distributed a custom-built infostealer called TeamPCP Cloud Stealer, as well as a persistence script. Security researchers at Endor Labs said the attack is split into three steps:

    "Once triggered, the payload runs a three-stage attack: it harvests credentials (SSH keys, cloud tokens, Kubernetes secrets, crypto wallets, and .env files), attempts lateral movement across Kubernetes clusters by
    deploying privileged pods to every node, and installs a persistent systemd backdoor that polls for additional binaries," explains Endor Labs. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
    your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    "Exfiltrated data is encrypted and sent to an attacker-controlled domain."

    The infostealer also runs a system check, grabs cloud credentials for Amazon
    , Google , and Microsoft , and pulls TLS private keys and CI/CD secrets.

    If youve installed any of the poisoned versions, make sure to rotate all secrets, tokens, and credentials, as soon as possible, and monitor outbound traffic to known attacker domains. Also, make sure to revert either to versions 1.82.3, or 1.82.6. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/top-llm-pypl-package-compromised-to-ste al-user-details-heres-what-we-know


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)