LiteLLM, the open-source proxy routing traffic for millions of AI agents, was compromised with credential-stealing malware. For anyone building payment-capable agents, the threat model just changed.

On March 24, a threat actor calling themselves "TeamPCP" did something the agentic commerce industry should have been preparing for but wasn't. They backdoored LiteLLM, the most popular open-source proxy for routing AI agent traffic to large language models. Versions 1.82.7 and 1.82.8, downloaded roughly 97 million times monthly on PyPI, contained a three-stage payload designed to harvest every credential it could find.

SSH keys. Cloud credentials. Kubernetes secrets. Crypto wallets. Environment files. All of it.

This is not a routine supply chain incident. LiteLLM sits between AI agents and the models they call. It is the proxy layer. If your agent commerce system routes through LiteLLM, and a significant number do, the attacker did not just compromise a library. They compromised the layer that handles your agent's API keys, your authentication tokens, your infrastructure secrets.

The attack was not a simple package injection. It was a multi-stage supply chain operation that started somewhere else entirely.

According to analysis from Snyk and Sonatype, TeamPCP first compromised Aqua Security's Trivy scanner, a container vulnerability tool used in LiteLLM's CI/CD pipeline. Through that foothold, they extracted the maintainer's PyPI credentials. Then they published two poisoned versions of LiteLLM with a three-stage payload baked in.

Stage one: a credential harvester. It scraped SSH keys, AWS and GCP credentials, Kubernetes service account tokens, cryptocurrency wallets, and .env files from every system that installed the package.

Stage two: Kubernetes lateral movement. If the harvester found a Kubernetes service account token, the payload escalated. It read all cluster secrets across all namespaces, then deployed a privileged Alpine container to every node in the cluster, mounting the host filesystem. Not one node. Every node.

Stage three: a persistent systemd backdoor on the host, ensuring the attacker maintained access even if the original compromised package was removed.

DreamFactory's analysis laid bare the scope. A single compromised dependency in a CI/CD pipeline cascaded into full infrastructure access for any organisation running LiteLLM in a Kubernetes environment. PyPI has since quarantined the entire LiteLLM package, all versions, not just the compromised ones.

Security researchers have focused on the technical mechanics. Fair enough. But the commerce implications are the part that should worry payments professionals.

LiteLLM is not a niche tool. It is the standard proxy for organisations that need to route AI agent traffic across multiple LLM providers. Anthropic, OpenAI, Google, Mistral, Cohere, dozens of others. It handles authentication, load balancing, rate limiting, and cost tracking. For enterprise deployments of AI agents, it is infrastructure.

Now think about what that means for agentic commerce. An AI purchasing agent needs API keys to call language models. It needs credentials to access payment processors. It needs tokens to authenticate with merchant platforms. In many architectures, those credentials pass through or are accessible to the proxy layer.

TeamPCP's harvester was grabbing .env files. Those files typically contain API keys for payment gateways, database connection strings, authentication secrets, and service credentials. If a payment-capable agent's environment was compromised, the attacker potentially had access to everything needed to initiate, redirect, or intercept transactions.

We've written extensively about the trust gap in agentic commerce and the dispute layer crisis that enterprises face when agents transact on behalf of consumers. Those analyses focused on whether agents would act within their authorised boundaries. This attack introduces a different question: what happens when the agent's own infrastructure is compromised, and the agent does not even know it?

NVIDIA AI Director Jim Fan warned that this represents "a new class of attacks targeting AI agents." He's right, but the framing understates the structural problem.

The agentic commerce security conversation has focused almost entirely on the agent itself. Is the agent authorised? Is it acting within its mandate? Can it be manipulated through prompt injection? Those are real concerns. We covered them when Nvidia built its OpenShell sandbox and when the payment networks launched their trust protocols.

But nobody was modelling supply chain attacks against the infrastructure that agents depend on. LiteLLM is one of dozens of open-source components in a typical agentic AI stack. There are embedding libraries, vector databases, orchestration frameworks, tool-calling middleware, authentication wrappers. Each one is a potential entry point.

The attack surface for agentic commerce is not the agent. It is the entire dependency tree underneath the agent. And that tree is largely open-source, maintained by small teams, and verified by automated pipelines that themselves can be compromised, as TeamPCP demonstrated by poisoning Trivy first.

Consider the scenario. An enterprise deploys Visa's Trusted Agent Protocol and Mastercard's Verifiable Intent to authenticate their AI purchasing agent. The agent itself is sandboxed, governed by policy, auditable. But the proxy layer routing the agent's LLM calls has been backdoored. The attacker now has the agent's cloud credentials, its Kubernetes secrets, potentially its payment API keys. The trust protocols verified the agent's identity. They did not verify the integrity of the agent's supply chain.

Three things shift immediately.

First, dependency auditing for AI agent infrastructure moves from "nice to have" to "existential." Every component in the agent stack, from the LLM proxy to the embedding library to the orchestration framework, needs the same level of scrutiny that financial institutions apply to their core banking software. The security gap we identified in agent commerce infrastructure just got a live proof of concept.

Second, the argument for managed AI infrastructure over open-source-assembled stacks strengthens considerably. Enterprises that route through Anthropic, OpenAI, or Google directly, rather than through an open-source proxy, have one fewer attack surface to worry about. That is not a knock against open source. It is a recognition that when your proxy handles payment-adjacent credentials, the security model of your dependency chain is a business risk, not just a technical one.

Third, the payment networks' agent trust protocols need to account for infrastructure compromise. Visa's Trusted Agent Protocol verifies agent identity. Mastercard's Verifiable Intent binds consumer instructions to transaction outcomes. Neither protocol currently verifies that the agent's underlying infrastructure has not been tampered with. A compromised proxy layer can exfiltrate credentials regardless of how well the agent itself is authenticated.

The LiteLLM attack demonstrates that agentic commerce security cannot stop at the agent boundary. The entire stack, every dependency, every CI/CD pipeline, every proxy layer, is part of the trust surface. And the attackers know it.

For enterprises evaluating payment-capable AI agents, the math just shifted.

The question used to be: can we trust the agent to act within its mandate? That was already hard. Now the question includes: can we trust every component in the agent's supply chain? The answer, after LiteLLM, is demonstrably no, not without far more rigorous controls than most organisations have in place.

ARMO's analysis of the Kubernetes lateral movement capability is particularly concerning for enterprise deployments. The payload did not just steal secrets from the compromised node. It read all secrets across all namespaces and deployed privileged containers to every node in the cluster. For an enterprise running multiple AI agents with payment capabilities across a shared Kubernetes cluster, a single compromised dependency could expose the credentials of every agent in the environment.

That is not a theoretical risk anymore. It happened.

The payment networks, the processors, and the enterprises deploying agentic commerce systems need to treat supply chain integrity as a first-class security requirement, alongside agent identity, consumer intent verification, and transaction authentication. The LiteLLM compromise is not an isolated incident. It is the first proven attack against the infrastructure layer that agentic commerce runs on.

It will not be the last.

When the infrastructure your AI agent depends on can be compromised without the agent knowing, who bears liability for the transactions it processes?