Attackers tracked as TeamPCP compromised a scanner tool and used it to steal LiteLLM's PyPI publishing tokens, then pushed two malicious releases of the widely used LLM gateway library. The payload harvested SSH keys, cloud credentials, Kubernetes tokens, and API keys, encrypted them, and beaconed to attacker infrastructure while installing a backdoor. Because LiteLLM brokers calls to 100+ providers, it sits atop credentials across agent frameworks, MCP servers, and CI pipelines.
Versions 1.82.7 and 1.82.8 were live on PyPI for roughly 40 minutes on 2026-03-24, exposing developer machines, CI/CD systems, and production inference infrastructure to credential theft.
Scoped, short-lifetime publishing tokens plus trusted-publisher signing would have prevented a compromised CI dependency from pushing backdoored releases.
Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.
Request a demo