We've been tracking TeamPCP since March. This is the fifth major package in the same campaign. Full chronology:

• Mar 19 — Trivy compromised. CI/CD secrets harvested downstream.
• Mar 24 — LiteLLM 1.82.7/1.82.8 to PyPI via credentials stolen through Trivy. ~95M monthly downloads. ~1,000 cloud environments in a 3-hour window.
• Mar 27 — Telnyx Python SDK 4.87.1/4.87.2 to PyPI. WAV steganography for payload delivery. ~670K monthly downloads.
• April — Bitwarden CLI, SAP npm packages, PyTorch Lightning.
• May 11 — 84 malicious versions across ~170 packages (@tanstack/, guardrails-ai, u/mistralai/, OpenSearch). First SLSA Build Level 3 provenance bypass. OpenAI hit downstream.
• May 20 — durabletask 1.4.1/1.4.2/1.4.3. Reads Vault, 1Password, Bitwarden, SSH keys, Docker creds. Propagates via AWS SSM and kubectl exec.

We wrote on the LiteLLM chain in March when this started. Same TTPs, different package: https://www.bluerock.io/post/litellm-supply-chain-protection