← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.888
Executive Summary
On March 10, 2026, threat group TeamPCP breached the European Commission's AWS environment using an API key stolen during a supply-chain attack on the Trivy security scanner. The intrusion exposed data from EU government entities; ShinyHunters subsequently published a dataset on a dark web leak site. CERT-EU confirmed attribution on April 3, 2026. The primary business risk is unauthorized access to sensitive government data through compromised cloud credentials and third-party dependency integrity failures. [Note: Initial reporting cited 30 entities; later reports referenced up to 71. Verify official CERT-EU count for accurate scope.]
Technical Analysis
TeamPCP gained initial access via a compromised API key traced to the Trivy supply-chain attack (T1195.002 ).
The LiteLLM PyPI package was identified as a malicious component in the broader campaign, documented by Datadog Security Labs.
Attackers used TruffleHog to scan for exposed secrets in the EC's AWS environment (T1552.001 , T1552.004 ), then created covert IAM access keys to establish persistence (T1078.004 , T1098 , T1528 ).
Data from EU government entities was exfiltrated via cloud storage (T1530 , T1537 ) and published externally (T1567.002 ). Relevant weaknesses: CWE-284 (improper access control), CWE-522 (insufficiently protected credentials), CWE-200 (exposure of sensitive information), CWE-732 (incorrect permission assignment), CWE-494 (download of code without integrity check). No NVD CVE is assigned to this campaign. MITRE coverage includes T1087.004 (cloud account enumeration) and T1588.001 (tool acquisition). Affected platforms: AWS (EC accounts), Trivy (supply-chain vector), LiteLLM PyPI package, GitHub, PyPI, NPM, Docker, Europa.eu hosting.
Action Checklist
Step 1: Containment. Immediately audit all AWS IAM users and roles across your organization for unrecognized or recently created access keys. Revoke any keys that cannot be traced to authorized provisioning. If Trivy, LiteLLM, or related tooling is deployed in CI/CD pipelines with cloud credentials, rotate those credentials now and scope IAM permissions to least privilege. Reference: AWS IAM credential report and CloudTrail CreateAccessKey events.
Step 2: Detection. Query CloudTrail for CreateAccessKey, ListAccessKeys, and AssumeRole events from unexpected principals or unusual source IPs, especially within CI/CD runner IP ranges. Search pipeline logs and dependency manifests for compromised LiteLLM PyPI package versions identified in the Datadog Security Labs report (https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/; consult advisory for affected version range). Run TruffleHog (https://github.com/trufflesecurity/trufflehog) or equivalent secret scanning against all repositories that have cloud credential access. Look for outbound data transfers to non-standard S3 buckets or external endpoints (CloudTrail S3 and data events, VPC Flow Logs).
Step 3: Eradication. Remove or pin the compromised LiteLLM PyPI package versions per Datadog's advisory (https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/). Verify integrity of all Trivy installations against official release hashes from the Aqua Security GitHub repository. Enforce dependency pinning with hash verification (pip --require-hashes, npm lockfiles with integrity checks) across all pipelines. Remove any IAM access keys not provisioned through your approved identity lifecycle process.
Step 4: Recovery. Re-validate all cloud credentials in use by CI/CD systems, security tooling, and automation after rotation. Enable AWS GuardDuty and review findings for credential exfiltration indicators (UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration, Policy:IAMUser/RootCredentialUsage). Monitor CloudTrail for 30 days post-remediation for recurrence of CreateAccessKey or cross-account role assumption from pipeline contexts. Confirm no persistent Lambda functions, EC2 instance profiles, or scheduled tasks were created under compromised principals.
Step 5: Post-Incident. This attack exposed three systemic control gaps: absence of secrets scanning in CI/CD pipelines before credential use, no integrity verification on third-party security tooling (Trivy) and PyPI dependencies (LiteLLM), and over-permissioned IAM roles attached to build systems. Remediation priorities: implement OIDC-based short-lived credentials for CI/CD instead of static API keys (eliminates the stolen key attack surface), enforce software supply-chain controls per NIST SP 800-218 (SSDF) and SLSA framework, and introduce mandatory dependency integrity checks (hash pinning, SBOM generation) as pipeline gates.
Detection Guidance
Note: Public IOC data (file hashes, C2 IPs, exfil endpoints) is not available from source data. Detection relies on behavioral indicators (CloudTrail events, dependency scanning, dark web monitoring) rather than signature-based matching. Primary detection surface is AWS CloudTrail. Query for:
CreateAccessKey events where the requesting principal is a service account, IAM role, or unknown user, especially if the source IP resolves to a CI/CD runner, PyPI package execution context, or unfamiliar ASN. ListBuckets, GetObject, or PutObject events at unusual volumes or times from programmatic principals. AssumeRole events across account boundaries not matching your approved cross-account role inventory. Secondary detection: audit your Python dependency tree for the specific compromised LiteLLM versions identified in the Datadog Security Labs report (see https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ for affected version matrix), compare installed versions against the advisory. Run TruffleHog (https://github.com/trufflesecurity/trufflehog) against all repositories with cloud access. Behavioral indicator: TruffleHog was used by the attackers internally; detecting its execution within your environment from an unexpected context may indicate active credential harvesting. Monitor dark web leak sites and paste sites for your organization's domain strings as a post-breach indicator.
Indicators of Compromise (2)
Type Value Context Confidence
URL
https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/
Datadog Security Labs report on LiteLLM PyPI compromise and TeamPCP supply-chain campaign — reference for affected package versions
medium
DOMAIN
pypi.org
Distribution channel for compromised LiteLLM package used by TeamPCP; monitor outbound connections from build systems to PyPI for unexpected package pulls
low
Compliance Framework Mappings
T1552.004
T1078.004
T1098
T1528
T1552.001
T1567.002
+5
CM-7
SA-9
SR-3
SI-7
AC-3
IA-5
+3
A01:2021
A04:2021
A07:2021
A08:2021
6.1
6.2
5.2
3.3
2.5
2.6
+1
164.312(a)(1)
164.308(a)(5)(ii)(D)
164.312(d)
MITRE ATT&CK Mapping
T1098
Account Manipulation
persistence
T1528
Steal Application Access Token
credential-access
T1552.001
Credentials In Files
credential-access
T1567.002
Exfiltration to Cloud Storage
exfiltration
T1537
Transfer Data to Cloud Account
exfiltration
T1195.002
Compromise Software Supply Chain
initial-access
T1530
Data from Cloud Storage
collection
Guidance Disclaimer
