The TeamPCP Campaign: How One Threat Group Compromised Trivy, LiteLLM, Axios, and Telnyx in a Coordinated Supply Chain Onslaught

The cryptocurrency ecosystem faces a new category of threat that operates far below the radar of traditional security monitoring. Throughout March 2026, a threat actor self-identifying as TeamPCP executed one of the most sophisticated supply chain campaigns in recent memory, compromising at least four major open-source projects in a carefully orchestrated sequence. The attacks targeted Trivy, LiteLLM, Axios, and Telnyx — tools collectively trusted by millions of developers, including those building crypto wallets, DeFi protocols, and blockchain infrastructure.

The Exploit Mechanics

The campaign began in late February 2026 when TeamPCP first compromised the Trivy security scanner. Trivy, developed by Aqua Security, is one of the most widely used vulnerability scanners in CI/CD pipelines. The attackers inserted malicious code into Trivy’s GitHub Actions, which allowed them to exfiltrate secrets and publishing tokens from any project using Trivy in their build process.

LiteLLM was the first major downstream victim. On March 24, the attackers used publishing tokens stolen through the Trivy compromise to push two backdoored versions of the LiteLLM library to PyPI. Version 1.82.7 contained a malicious payload hidden in proxy_server.py, while version 1.82.8 introduced a more aggressive delivery method using a .pth file that executed the moment Python started. The payload followed a three-stage design: first harvesting credentials including OpenAI, Anthropic, and AWS keys from environment variables; then attempting lateral movement through Kubernetes clusters using stolen service account tokens; and finally installing a persistent systemd backdoor that polled for additional payloads.

The Axios compromise followed a similar pattern. Axios, the ubiquitous HTTP client library with over 40 million weekly downloads on npm, received a malicious version published at 23:59 UTC on March 30. By the time the community detected the intrusion, the tainted package had already been downloaded thousands of times.

The Telnyx Python library was also compromised on March 27, extending the blast radius into telecommunications APIs that many crypto platforms use for SMS-based two-factor authentication.

Affected Systems

The scale of the compromise is staggering. LiteLLM alone boasts 95 million monthly downloads. Axios sees over 40 million weekly downloads. Between the four packages, the potential blast radius encompasses nearly every developer machine, CI/CD pipeline, and production server in the cryptocurrency development ecosystem.

Projects most at risk include any crypto platform that processes AI model requests through LiteLLM, any application using Axios for API calls to blockchain nodes or exchanges, and any service relying on Trivy for security scanning. The three-stage payload design means that even developers who merely installed the compromised packages on their local machines could have had their cloud credentials, API keys, and Kubernetes configurations exfiltrated.

The attack’s impact on crypto specifically is amplified because many wallet providers, DeFi protocols, and exchange integrations use Python-based backend services that likely included LiteLLM for AI features and Axios-equivalent libraries for HTTP communication. With BTC trading at approximately $66,691 and ETH at $2,023 on March 30, the value of stolen credentials could be immense.

The Mitigation Strategy

Security teams across the crypto industry should take immediate action. First, audit all development environments for the specific compromised versions: litellm versions 1.82.7 and 1.82.8, any Axios versions published on March 30, and the affected Telnyx versions. Second, rotate all API keys, cloud credentials, and publishing tokens that may have been exposed. Third, inspect Kubernetes clusters for unauthorized service accounts or pods.

Longer-term mitigations include implementing pinning of package versions and verifying checksums before installation. Teams should also adopt sigstore-based code signing verification for critical dependencies. The LiteLLM maintainer team has confirmed that version 1.82.6 is the last known clean release.

Lessons Learned

The TeamPCP campaign reveals a fundamental weakness in the software supply chain that crypto projects must address. Security scanners like Trivy are supposed to protect against vulnerabilities, but when the scanner itself becomes the attack vector, the entire trust chain collapses. The campaign also demonstrates that attackers are moving upstream, targeting build infrastructure rather than individual applications.

For the crypto industry specifically, this highlights the danger of centralized trust points in development pipelines. A single compromised CI/CD tool can cascade into credential theft across hundreds of downstream projects. The industry needs to adopt a zero-trust approach to dependency management, where no package is implicitly trusted regardless of its download count or maintainer reputation.

User Action Required

If you are a crypto developer or platform operator, take these steps immediately: verify your LiteLLM and Axios installations against known clean versions; rotate any credentials that may have been exposed; check your Kubernetes audit logs for unusual service account activity; and consider implementing automated dependency scanning that verifies package signatures before allowing installation in your build pipelines. The TeamPCP campaign may be the first of many such coordinated supply chain attacks targeting the crypto ecosystem.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified security professionals for specific threat mitigation strategies.