TeamPCP LiteLLM Supply Chain Attack Persistence Indicators

Rule Info

Name
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack. In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
Reference
https://novasky.io/hunts/hunting-litellm-supply-chain
Date
2026-03-30 00:00:00
Modified
None
Id
81c0b7f5-81c9-435e-a291-bc32fc2b72cd
Tags
attack.persistence attack.privilege-escalation attack.t1543.002 attack.initial-access attack.t1195.002 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=81c0b7f5-81c9-435e-a291-bc32fc2b72cd

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5923 from @swachchhanda000 - Add litellm Supply Chain Attack Related Rules
2026-04-01
4bb5637b2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022