Supply‑Chain Backdoor Inserted into LiteLLM via Compromised Trivy CI/CD

Researchers have identified that the threat actor group TeamPCP compromised the Trivy container‑image scanner used in the LiteLLM CI/CD pipeline. By injecting malicious code into the open‑source LiteLLM library during the build process, they created a persistent backdoor that activates whenever the library handles a Large Language Model request. The payload establishes a stealthy command‑and‑control channel, allowing attackers to execute arbitrary commands on any system that imports the tainted library.

The compromise has direct implications for any organization that installs LiteLLM from public repositories or builds it from source, as the backdoor is baked into the library itself and is difficult to detect at runtime. Defenders must treat this as a classic supply‑chain threat: verify the integrity of CI tools, enforce signed releases, monitor for unexpected network traffic from LLM workloads, and incorporate SBOM and provenance checks into their software‑bill of materials. Early detection and strict supply‑chain hygiene are essential to prevent silent footholds in critical AI‑driven applications.

Categories: Vulnerabilities & Exploits, AI Security & Threats, Threat Intelligence, #AI Security & Threats

Source: Read original article