TeamPCP supply chain attack spreads

The compromise of Checkmarx Open VSX plugins on npm has now spread to PyPI and LiteLLM.

Paul Roberts, Director of Content and Editorial at RL

New day, new scale level of the compromise. In the latest development related to the ongoing supply chain attack conducted by TeamPCP, the attack has spread to the PyPI ecosystem. The new victim is the LiteLLM package. LiteLLM is an open-source Python library and proxy server that provides a unified interface to call over 100+ large language model (LLM) APIs — including OpenAI, Anthropic, Bedrock, and VertexAI — using a single, standardized format.

LiteLLM simplifies multi-LLM integration, offering automatic fallbacks, retries, and cost tracking across providers. LiteLLM’s PyPI package has about 480 million downloads, making it a very valuable target. Quick reaction from the PyPI security team moved the affected project to quarantine, reducing the potential impact.

The compromise affects versions 1.82.7 and 1.82.8. The delivered payload is almost identical to the previous ones described in blogs explaining Trivy and Checkmarx compromise. An infostealer designed to steal a very broad list of secrets from hardcoded file paths and memory based on process names. The C2 domain in this case is models[.]litellm.cloud but in the code responsible for persistence, the checkmarx[.]zone domain can still be found.

The compromise of the PyPI package was likely caused by the initial compromise of a GitHub account belonging to the co-founder & CEO of LiteLLM, Krish Dholakia. The compromise was likely performed on March 23 and on March 24, when the owners of the GitHub repositories were defaced in an automated way at about 14:00 UTC time.

Images: LiteLLM co-founder and CEO Krish Dholakia's GitHub profile. And the timestamp showing automated defacing of the LiteLLM repo on GitHub.

How the TeamPCP supply chain attack evolved

On Monday, ReversingLabs researchers identified two compromised software packages intended for use by developers that contained malicious code designed to find and steal sensitive developers secrets, tokens and crypto wallet information.

The Checkmarx software plugins, checkmarx.ast-results version 2.53 and checkmarx.cx-dev-assist version 1.7.0, were both published to the Open VSX Registry on March 23, and are designed for use with VS Code and other VS Code compatible integrated development environments (IDEs) like Cursor, Windsurf and Kiro.

Checkmarx is a widely used application security testing (AST) platform. The Open VSX Registry is a vendor-neutral, open-source alternative to the official Microsoft Visual Studio Marketplace. Hosted by the Eclipse Foundation, it is a repository for VS Code extensions that is used by platforms like VSCodium, Cursor, and Eclipse Theia, allowing developers to access, share, and manage code extensions without being bound by Microsoft’s license restrictions. Neither of the malicious packages was published to the VS Code Marketplace.

Inside the VS Code extensions hack

The ast-results package, which has been downloaded about 36,000 times, provides developers with access to the Checkmarx One platform directly from their IDE, running scans from the IDE prior to code commitments, providing recommendations on vulnerability remediation.

The cx-dev-assist package, which has been installed about 500 times, is described as an “advanced security agent” used for real-time context-aware detection, remediation, and guidance to developers from within the IDE. It includes a feature described as an “AI Secure Coding Assistant (ASCA),” described as an AI-powered tool that lets developers identify violations of secure coding best practices in their code.

On Monday, the RL researcher team detected malicious code in the most recent versions of both packages. Analysis indicated that the code was added to search for developer secrets stored on cloud assets, and to download a malicious payload from an attacker-controlled server.

Images: Malicious code is added to search for cloud secrets and download malicious payload from C2 server checkmarx[.]zone. The downloaded payload is stealing secrets, tokens, and wallet information and exfiltrating it to checkmarx[.]zone/vsx.

Supply chain in the hot seat

The Checkmarx packages were compromised as part of the campaign conducted by TeamPCP. The threat actors initially compromised Aqua Security’s Trivy scanner and related GitHub Actions, and has since spread to Checkmarx tools, including KICS GitHub Action and their OpenVSX extensions.

These incidents follow the compromise of another supply chain security tool, Xygeni GitHub Action earlier this month. Threat researchers have not made any direct connection between the Xygeni compromise and the latest attacks on Trivy and Checkmarx, but the techniques and targets indicate that they could be related. In all three cases, the compromise was made using stolen credentials. How the credentials were stolen remains a mystery.

Once compromised, commits containing malicious code are created and the release tags are pointed to those commits. As of late Monday night, both malicious packages were still available for download on the Open VSX Registry.

Keep learning

Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:Threat Research