Cyber Threat Brief — March 25 2026
⚠️ This report is AI-generated. Always validate findings.
Previous brief: Cyber Threat Brief — March 24 2026
Threat count: 1 new threat, 2 status updates
1. TeamPCP Backdoors LiteLLM PyPI Package — Supply Chain
TL;DR: Threat actor TeamPCP published backdoored litellm versions 1.82.7–1.82.8 on March 24 via compromised Trivy GitHub Action CI/CD pipeline; payload harvests SSH keys, cloud creds, crypto wallets and .env files, deploys privileged K8s pods for lateral movement, and installs a persistent systemd backdoor beaconing to checkmarx[.]zone.
What’s New:
- TeamPCP pivoted from prior Trivy/KICS compromises to poison litellm (95M+ monthly PyPI downloads) by stealing maintainer credentials through a trojanized
trivy-actionGitHub Action tag (v0.69.4) - Malicious code in
litellm/proxy/proxy_server.pyuses triple-nested Base64 obfuscation and.pthauto-loading for persistence — survivespip uninstall - Three-stage payload: (1) credential harvester sweeps
~/.ssh,~/.aws,~/.kube, crypto wallets,.envfiles; (2) K8s lateral movement deploysnode-setup-*privileged pods to every node inkube-system; (3) systemd backdoor disguised as “System Telemetry Service” polls C2 every 50 minutes - Malicious versions were live ~3 hours before PyPI quarantine; last safe version is 1.82.6
- Shared C2 infrastructure (
checkmarx[.]zone) and identical persistence (sysmon.py/sysmon.service) link this to the Trivy/KICS campaign
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
models.litellm[.]cloud | C2 domain | T1071.001 | DNS / proxy logs | Block at DNS and web proxy |
checkmarx[.]zone | C2 domain | T1071.001 | DNS / proxy logs | Block at DNS and web proxy |
checkmarx[.]zone/raw | C2 beacon URL | T1102 | Proxy / NGFW | Block and hunt for 50-min beacon interval |
~/.config/sysmon/sysmon.py | Persistence dropper | T1546.016 | EDR / file integrity | Hunt across all hosts running litellm |
~/.config/systemd/user/sysmon.service (“System Telemetry Service”) | Persistence unit | T1543.002 | systemctl --user list-units / EDR | Hunt and remove |
litellm_init.pth in site-packages | .pth persistence | T1546.016 | File integrity / pip audit | Survives uninstall — check all Python envs |
/tmp/pglog, /tmp/.pg_state | Staging files | T1074.001 | EDR / file telemetry | Hunt for these temp files |
kubectl get pods -n kube-system | grep node-setup | K8s lateral movement | T1610 | K8s audit logs | Delete rogue privileged pods |
litellm==1.82.7 or litellm==1.82.8 | Malicious package versions | T1195.002 | pip list / SBOM | Pin to ≤1.82.6 or ≥1.82.9; audit all deployments |
/root/.config/sysmon/ | Persistence directory | T1543.002 | EDR / file integrity | Hunt on all nodes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Persistence Through systemd Service (partial) | Needs tuning for user-level ~/.config/systemd/user/ path; no rule for .pth file abuse |
| Elastic | Systemd Service Created (partial) | Same gap — user-level systemd services not covered; no Python .pth persistence rule |
| Sigma | Systemd Service File Creation (partial) | Add filter for sysmon.service description “System Telemetry Service”; need new rule for .pth file creation in site-packages |
Sources: BleepingComputer, ReversingLabs, Wiz Blog, Datadog Security Labs, TocConsulting IOC Repo
Status Updates
- CVE-2026-3055 (Citrix NetScaler ADC/Gateway): No public PoC or ITW exploitation yet as of March 25; Rapid7 and Arctic Wolf maintain high weaponization likelihood. Patch immediately if SAML IDP is configured. Rapid7 ETR.
- CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing; public PoC remains available on GitHub. CISA KEV deadline passed March 22. Help Net Security.