LiteLLM / TeamPCP Supply Chain Attack Indicators

Rule Info

Name
LiteLLM / TeamPCP Supply Chain Attack Indicators
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8). In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
Reference
https://novasky.io/hunts/hunting-litellm-supply-chain
Date
2026-03-30 00:00:00
Modified
None
Id
36603778-030c-43c4-8cbb-cd3c1d1a80c7
Tags
attack.initial-access attack.t1195.002 attack.collection attack.t1560.001 attack.persistence attack.privilege-escalation attack.t1543.002 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=36603778-030c-43c4-8cbb-cd3c1d1a80c7

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5923 from @swachchhanda000 - Add litellm Supply Chain Attack Related Rules
2026-04-01
4bb5637b2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022