John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
What started with a poisoned Trivy Docker image has turned into one of the wider CI/CD compromise events of the year. Thousands of pipelines pulled the malicious images. LiteLLM, a widely-used AI API library, got backdoored directly on PyPI. And the payload wasn’t a simple credential stealer. It was a three-part kit designed to get in, spread laterally through Kubernetes clusters, and stay there.
The attack started March 19. Trivy versions 0.69.4, 0.69.5, and 0.69.6 were published to Docker Hub and pulled thousands of times before anyone caught it. They’re gone from Docker Hub now. Every pipeline that pulled them during that window already ran the payload.
Then it spread. TeamPCP also hit the Checkmarx KICS GitHub Action in a second wave. If your pipeline uses that IaC scanner, you had two exposure vectors, not one.
LiteLLM is a separate kind of problem. It’s the Python library developers use to route calls to OpenAI, Anthropic, Azure AI, AWS Bedrock, and others through a single interface. Versions 1.82.7 and 1.82.8 were backdoored. Think about what’s on a machine running LiteLLM: API keys for every major AI provider, probably sitting next to cloud provider credentials. That’s a uniquely dense target.
The payload had three components. A credential harvester called “TeamPCP Cloud Stealer” that hunted for cloud keys and CI/CD secrets. A Kubernetes lateral movement toolkit that used deployment credentials to pivot from your build system into your running clusters. And a persistent backdoor to keep the connection open after the initial infection.
If you ran those Trivy versions, treat your secrets as compromised. Rotate everything. Check your LiteLLM version. Review your Kubernetes access logs around March 19. This one has legs.
The full technical breakdown, IOCs, and remediation steps are in the complete post.