| Artifact | SHA-256 |
|---|---|
| litellm 1.82.7 wheel | 8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2 |
| litellm 1.82.8 wheel | d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb |
Compromised proxy_server.py |
a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120b |
litellm_init.pth (1.82.8) |
71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238 |
litellm_init.pth (RECORD hash) |
ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg (base64url SHA-256, 34,628 bytes) |
| Type | Value | Notes |
|---|---|---|
| Exfiltration domain | models.litellm.cloud |
Receives encrypted credential archives via HTTPS POST |
| C2 domain | checkmarx.zone |
Persistence dropper polls for payloads |
| C2 endpoint | checkmarx.zone/raw |
Serves binary payload URLs |
| Official domain (NOT malicious) | litellm.ai |
For comparison - the real domain |
| Domain registrar | Spaceship, Inc. | litellm.cloud registered March 23, 2026 |
| Path | Description |
|---|---|
site-packages/litellm_init.pth |
Malicious .pth file (auto-executes on Python startup) |
~/.config/sysmon/sysmon.py |
Persistence backdoor |
~/.config/systemd/user/sysmon.service |
Systemd service for persistence |
/tmp/pglog |
Binary dropper target |
/tmp/.pg_state |
State tracking file (avoids re-download) |
/tmp/tpcp.tar.gz |
Encrypted exfiltration archive |
| Indicator | Value |
|---|---|
| Pod name pattern | node-setup-{node_name} |
| Namespace | kube-system |
| Image | alpine:latest |
| Flags | hostPID: true, hostNetwork: true, privileged: true |
| Account | Role |
|---|---|
krrishdholakia |
Compromised maintainer account used to publish malicious versions |
teampcp |
Attacker's PyPI account |
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...
4096-bit RSA key hardcoded in payload for encrypting exfiltrated data.
- POST requests to
https://models.litellm.cloud/withX-Filenameheader - Encrypted payloads using AES-256-CBC + RSA key wrapping (RSA-2048 per Security Boulevard, RSA-4096 per Endor Labs - discrepancy between sources)
- Queries to
169.254.169.254/latest/meta-data/iam/security-credentials/- steals IAM role temporary credentials from EC2 instances without IMDSv2 enforced
- 300-second startup delay (sandbox evasion)
- 3000-second (50 min) poll interval
- State file:
/tmp/.pg_state - Payload target:
/tmp/pglog - YouTube URL kill-switch (if C2 returns youtube.com URL, skip execution)
Cloud:
- AWS:
~/.aws/credentials,~/.aws/config, EC2 IMDS role credentials - GCP: application default credentials
- Azure:
~/.azure/directory
Kubernetes:
~/.kube/config/var/run/secrets/kubernetes.io/serviceaccount/token- All cluster secrets via API enumeration
Package managers & registries:
- npm:
~/.npmrc - Docker:
config.json(registry auth tokens)
Infrastructure-as-Code:
terraform.tfvars(variables, often contains secrets)terraform.tfstate(state file, contains plaintext resource attributes)
Databases:
.pgpass(PostgreSQL).my.cnf(MySQL)redis.conf(Redis).mongorc.js(MongoDB)
CI/CD configs:
- Jenkinsfile
.travis.yml.gitlab-ci.yml.drone.yml
System:
/etc/passwd,/etc/shadowprintenv(all environment variables)- SSH login history
Cryptocurrency wallets:
- Bitcoin, Ethereum keystores, Solana validator keypairs
- Cardano, Zcash, Ripple, Litecoin, Dogecoin
.env files:
- Recursive search to depth 6 across home directory and common project paths
TeamPCP linked to CanisterWorm actor via identical code signatures:
- Same file paths, poll intervals, startup delays
- Same YouTube kill-switch logic
- Same systemd persistence methods