The malware-samples/ directory contains the actual compromised litellm packages (versions 1.82.7 and 1.82.8) that were published to PyPI on March 24, 2026 by the threat actor TeamPCP.
These files are dangerous. If installed and executed, they will:
- Steal all credentials on the machine: SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, database passwords, API keys, cryptocurrency wallets, .env files, shell history
- Encrypt and exfiltrate stolen data to attacker-controlled servers
- Deploy privileged Kubernetes pods on every node in any accessible cluster
- Install a persistent backdoor that polls a C2 server every 50 minutes
- Query EC2 IMDS to steal IAM role credentials and dump AWS Secrets Manager / SSM Parameter Store
- NEVER run
pip installon these.whlfiles on any machine with real credentials - NEVER run these files outside a disposable, isolated environment (fresh EC2 instance with no IAM role)
- NEVER extract and execute the Python files directly on your machine
- ALWAYS verify SHA-256 hashes before analysis (see
malware-samples/README.md) - ALWAYS destroy the analysis environment when done
- Extract
.whlfiles usingzipfilein Python (a.whlis a zip archive) - Read the decoded payloads in
malware-samples/decoded-stage*.py- these are plaintext Python, safe to read but not to execute - Use the lab scripts in
lab/scripts/to set up an isolated EC2 environment
This repository is published for educational and defensive security purposes only. The malware samples are provided to enable security researchers, incident responders, and defenders to understand the attack, develop detection rules, and learn about supply chain attack vectors.
The authors are not responsible for any misuse of the materials in this repository. By accessing these files, you agree to use them only for lawful, defensive, and educational purposes.