Skip to main content
Lab Grimoire
TW EN
Coffee
The Hidden Backdoor in Your AI Toolchain: A 2026 Supply Chain Attack Chronicle
AI Security

The Hidden Backdoor in Your AI Toolchain: A 2026 Supply Chain Attack Chronicle

On this page

Three hours. That's all the window a threat actor needed.

On March 24, 2026, a group called TeamPCP uploaded two tampered versions of litellm — a widely used Python package — to PyPI, the official Python package repository. By the time the malicious versions were isolated, they had been available for approximately three hours. In that window, an unknown number of pip install commands and CI/CD pipelines pulled down code designed to steal everything: API keys, cloud credentials, Slack tokens, cryptocurrency wallets.

If you use any AI development tooling, there's a non-trivial chance your environment was affected.


What litellm Is and Why It Matters

litellm is a unified interface layer that lets developers call Claude, GPT, Gemini, and other AI models with the same code. It's the kind of foundational plumbing that ends up as a dependency of a dependency — invisible until something goes wrong.

The tampered versions (1.82.7 and 1.82.8) did two things. The first version scanned the environment for API keys and credentials and exfiltrated them. The second went further: it installed a persistence mechanism that re-executed the malicious code every time Python started.

Version 1.82.6 and below, and 1.82.9 and above, are clean.


A Three-Step Attack Chain

TeamPCP Supply Chain Attack Timeline: Trivy → Checkmarx → litellm

TeamPCP's operation was carefully sequenced. The litellm compromise wasn't the beginning — it was the third step.

March 19: Aqua Security's Trivy — a security vulnerability scanner — was poisoned. The irony is almost poetic: compromise the tool people use to check for compromises.

March 21: Checkmarx's AST GitHub Actions (another security tool) was infected.

March 24: litellm.

The strategy is textbook: neutralize the defenses first, then go after the target. By the time litellm was compromised, many automated security checks in affected pipelines were already running tampered code.


The Structural Vulnerability of the AI Tool Ecosystem

This attack exposed something deeper than a single bad actor. The AI development ecosystem has a structural problem: dependency chains are deep, but security scrutiny is shallow.

Consider Memento-Skills, an autonomous-agent framework that attracted community attention. Its core functionality depends directly on litellm. The framework was first published on March 19, 2026 — the same day the TeamPCP attack chain began. Its initial install instruction was pip install -e . with no version pinning. Any user who installed during the attack window may have been compromised.

oh-my-claudecode, a Claude Code enhancement tool with 13,700+ GitHub Stars, doesn't depend on litellm — but its installation mechanism writes to ~/.claude/CLAUDE.md, the core configuration file for Claude Code. If that file is overwritten or tampered with, your AI assistant's behavior changes entirely. The related oh-my-opencode has been flagged by security researchers for prompt injection vulnerabilities that could allow unauthorized command execution.

And Claude Code itself was found to have two significant CVEs in 2025-2026: CVE-2025-59536, allowing arbitrary shell command execution when launched in untrusted directories, and CVE-2026-21852, enabling malicious repositories to make API requests before displaying trust prompts. The attack surface across the ecosystem is larger than most users assume.


Three Things You Can Do Right Now

Check your litellm version. Open a terminal and run pip show litellm. If the version is 1.82.7 or 1.82.8, your environment has been compromised. Upgrading the package is not sufficient — every API key and cloud credential that was accessible in that environment must be rotated. The safe versions are 1.82.6 and below, or 1.82.9 and above.

Audit your installation scripts. Any AI tool that writes to global configuration files (~/.claude/, ~/.config/) during installation deserves scrutiny before you run it. Be especially cautious of one-liner installations like curl | bash or npx skills add <something> — these execute remote code on your machine with whatever permissions your terminal has.

Pin your dependencies. In your requirements.txt or pyproject.toml, specify exact version numbers for every package. Avoid open-ended constraints like >=1.82.0. Apply the same discipline to your CI/CD pipelines — automated builds that automatically pull the latest version are exactly what supply chain attacks exploit.


The Permanent Tension Between Convenience and Security

The AI tool ecosystem is growing at a pace that security review simply cannot match. GitHub Stars accumulate over days; security audits take weeks. Memento-Skills gained 785 stars in 9 days with 3 commits and 1 contributor. oh-my-claudecode has 13,700 stars but no independent security audit of its hook injection mechanism.

Stars are social proof, not security proof. Download counts are not endorsements. Open source does not mean anyone has reviewed the code for you.

Every tool you install is a link in your trust chain. When one link breaks, the chain breaks. And three hours is more than enough time for that to happen.


References

  1. ReversingLabs — TeamPCP Supply Chain Attack Analysis. https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
  2. Snyk — LiteLLM Backdoor Technical Analysis. https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/
  3. ARMO — LiteLLM Supply Chain Attack Full Breakdown. https://www.armosec.io/blog/litellm-supply-chain-attack-backdoor-analysis/
  4. OX Security — LiteLLM Malicious PyPI Versions. https://www.ox.security/blog/litellm-malware-malicious-pypi-versions-steal-cloud-and-crypto-credentials/
  5. Kaspersky — Trivy/Checkmarx/LiteLLM Trojanization. https://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/
  6. The Hacker News — Claude Code RCE Flaws. https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
  7. Lasso Security — Prompt Injection in Claude Code. https://www.lasso.security/blog/the-hidden-backdoor-in-claude-coding-assistant

Found this useful?

Follow for new AI × biomedical research notes:

Or buy me a coffee to keep new content coming.

☕ Buy Me a Coffee