Sources
Datadog Security Labs: Full TeamPCP Supply Chain Campaign Analysis — Trivy → Checkmarx → LiteLLM, Five Ecosystems Compromised in One Month
Datadog published the definitive technical analysis of the TeamPCP supply chain campaign that chained through five ecosystems: Trivy (CVE-2026-33634, CVSS 9.4), Checkmarx KICS, and LiteLLM. Each attack's stolen credentials unlocked the next target. The LiteLLM payload used a novel .pth file technique (litellm_init.pth) that ran on every Python process — not just LiteLLM imports. Three-stage attack: credential harvesting, Kubernetes lateral movement with privileged pods, and persistent systemd backdoor polling checkmarx.zone for additional binaries.
↳ Follow the thread