Top 5 · 2026-03-25 · source-backed
TeamPCP Goes Multi-Ecosystem: CanisterWorm Hits npm, LAPSUS$ Collaboration Surfaces, and a Bug in the Attacker's Own Code Was the Only Thing That Caught It
Story
A month ago, TeamPCP compromised Trivy's GitHub Actions runners. Then they trojanized LiteLLM on PyPI. Now Wiz Research confirms they've expanded to npm via a worm called CanisterWorm, using stolen publish tokens to push malicious packages across JavaScript's package ecosystem. Datadog Security Labs, Snyk, and Sonatype are all tracking the campaign independently. Reports indicate the group is collaborating with LAPSUS$ on extortion operations.
Let's talk about the LiteLLM numbers, because Simon Willison actually quantified the blast radius. During the roughly 46-minute window the backdoored packages (litellm 1.82.7 and 1.82.8) were live on PyPI before quarantine, there were 47,000 downloads. The malicious .pth file executed automatically on every Python process startup, silently POSTing SSH keys, cloud credentials, crypto wallets, and CI/CD secrets to a fake litellm.cloud domain. LiteLLM gets 3.4 million daily downloads. Forty-six minutes was enough.
Andrej Karpathy called it "software horror" in a post that hit 13,382 likes and 2.9 million views. His point was about cascading dependencies: over 2,000 commonly used AI tools including DSPy, MLflow, and Open Interpreter depend on LiteLLM. The attack was only discovered because the attacker's own code had a bug that crashed a developer's machine when an MCP plugin in Cursor pulled LiteLLM as a transitive dependency.
Read that again. The detection mechanism was the attacker's incompetence.
Microsoft published a full defensive playbook on March 24 covering how to detect compromised GitHub Actions runners, audit CI/CD secret exposure, and identify TeamPCP's credential-harvesting techniques. This is the first major vendor defense guide for the campaign.
What builders should do right now: enable package cooldowns. Willison documented that seven major package managers now support this. pnpm, Yarn, Bun, Deno, uv, pip, and npm all let you block fresh releases for a configurable window. I've set mine to 72 hours. You lose the ability to install a package that was published today. You gain protection against every supply chain attack that gets caught within three days. That's a trade I'll make every time.
This is no longer an isolated incident. It's a coordinated, multi-ecosystem campaign targeting the AI development toolchain specifically. The attacker is getting better. The toolchain needs to catch up.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic / Earlier coverage
LiteLLM Got Backdoored. The Attack Vector? Their Own Security Scanner.
Both cover LiteLLM, March, PyPI, Python; cite the same source (Willison documented that seven major package managers); overlapping topics (action, attack, cloud, litellm, maliciou).
Shared entities / Shared topic / What happened next
Mercor Confirms 4TB Breach via LiteLLM Supply Chain Attack. If You Use LiteLLM, Check Your Versions Now.
Both cover GitHub Actions, Lapsus, LiteLLM, PyPI; overlapping topics (action, attack, attacker, cloud, compromised); picks up the GitHub Actions thread on 2026-04-01.
Shared entities / Same source domain / Shared topic / What happened next
The Security Scanner Was the Attack Vector. 10,000 CI/CD Workflows Compromised.
Both cover GitHub Actions, LiteLLM, March, MCP; reported by the same outlet (simonwillison.net); overlapping topics (action, attack, attacker, dependency).
Shared entities / Shared topic / What happened next
CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.
Both cover GitHub Actions, LiteLLM, March, PyPI; overlapping topics (action, attack, attacker, code, litellm); picks up the GitHub Actions thread on 2026-03-28.
Google's Agent Development Kit Had an Unpinned LiteLLM Dependency During an Active Supply Chain Compromise
Both cover During, LiteLLM, March, PyPI; overlapping topics (attack, dependency, litellm); picks up the During thread on 2026-03-30.
Shared entities / Same source domain / Shared topic / What happened next
North Korea Backdoored Axios. 100 Million Weekly Downloads, 3 Hours of Exposure, and a RAT on Every Platform.
Both cover GitHub Actions, LiteLLM, Microsoft, PyPI; reported by the same outlet (microsoft.com); overlapping topics (action, attack, dependency, maliciou).
Shared entities / Same source domain / What happened next / Tension
Vibe Porting Is Real Now. Three Independent Case Studies Prove It.
Both cover JavaScript, Python, Simon Willison, Willison; reported by the same outlet (simonwillison.net); picks up the JavaScript thread on 2026-03-28.
Shared entities / What happened next
The MCP supply chain has a hole in the floor, and it's being exploited right now
Both cover DSPy, LiteLLM, MCP, Microsoft; picks up the DSPy thread on 2026-06-17.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — March 25, 2026
- AI generated
- no
- Story unit
- 2026-03-25-teampcp-goes-multi-ecosystem-canisterworm-hits-npm-lapsus-collaboration-surfaces-and-a-bug-in-th
- Labels
- source-backed, canonical briefing excerpt