March 30th – This Week’s Top Cybersecurity and Dark Web Stories

Popular Python Packages LiteLLM and Telnyx Backdoored in Ongoing Supply Chain Attack

Two widely used Python packages have been compromised as part of a sweeping software supply chain campaign, researchers at Datadog Security Labs have revealed.

Versions 1.82.7 and 1.82.8 of LiteLLM – a popular proxy layer for LLM providers – were published to PyPI on March 24 containing malicious code, with PyPI later quarantining the project. On March 27, two releases of the telephony SDK telnyx (4.87.1 and 4.87.2) were also backdoored.

The incidents are not isolated. Datadog’s investigation links these compromises to a broader campaign dubbed TeamPCP, which began with the March 19 compromise of the security scanning tool Trivy and has since spread across npm, GitHub Actions, and the Checkmarx KICS toolchain.

The LiteLLM payload collects environment variables, SSH keys, cloud credentials, Kubernetes data, shell history, and CI/CD secrets, encrypts them, and exfiltrates the data to models.litellm[.]cloud. It also installs a persistent backdoor and polls for follow-on payloads from attacker-controlled infrastructure.

Version 1.82.8 is considered the more dangerous of the two. It includes a malicious .pth file that causes the payload to execute automatically whenever the Python interpreter starts – meaning simply having the package installed is enough to trigger the attack.

The Telnyx backdoor takes a different approach: it downloads a disguised WAV audio file from a remote server, extracts a second-stage payload hidden inside the audio frames using XOR encryption, and uses it to harvest and exfiltrate credentials – encrypted with the same RSA public key used in the LiteLLM attack.

The TeamPCP campaign illustrates how stolen CI/CD credentials from a single initial compromise can cascade into fresh attacks across multiple ecosystems within days. With the attacker having already worked their way through Trivy, Aqua Security’s GitHub organisation, npm, Checkmarx, and now PyPI, security teams are advised to keep a close watch for further activity.

Iran-Linked Pay2Key Ransomware Group Returns With Upgraded Tactics

A ransomware group with suspected ties to Iran has resurfaced with improved capabilities, raising fresh concerns among security teams – particularly as geopolitical tensions between the US and Iran continue to simmer.

Pay2Key has been active since 2020 and has previously been linked to Tehran, typically targeting victims aligned with the regime’s interests. A new report from Halcyon and Beazley Security warns that recent US-Iran tensions appear to have accelerated activity from the group.

The report analysed a recent attack on a US healthcare provider, revealing an evolving set of tactics. The threat actors used TeamViewer to establish interactive access before harvesting credentials via tools including Mimikatz, LaZagne, and ExtPassword. They then used network scanning tools to identify hosts, and navigated Active Directory through its built-in console – a deliberate move, researchers believe, to avoid triggering automated alerts.

Before deploying the ransomware itself, the group enumerated backup systems including IBackup, Barracuda Yosemite, and Windows Server Backup. Ransomware execution was carried out through a self-extracting 7zip archive, consistent with previous Pay2Key campaigns, and encryption of the entire infrastructure was completed in just three hours.

A “No Defender” evasion toolkit was deployed and then removed to cover the attackers’ tracks. There was no evidence of data exfiltration, which researchers suggested could be due to deliberate destruction of evidence by the group.

Since July 2025, the group has received more than $8m in ransom payments linked to 170 victims. Yet researchers caution that money may not be the primary driver.

The group does not always appear to prioritise extortion and financial gain over the destruction of victim environments for strategic impact, the Halcyon report noted – a warning that sets Pay2Key apart from more purely financially motivated ransomware operations.

The group’s true ownership remains murky. The group’s attempted sale of its entire operation in late 2025, combined with observed ties to Russian-speaking threat actors on criminal forums, raises unresolved questions about the current ownership, operational control, and future trajectory of the group’s ransomware-as-a-service platform.

Regardless of who is ultimately behind the keyboard, defenders are urged to stay alert. Researchers concluded that Pay2Key remains an active, unpredictable, and politically motivated threat whose tactics and objectives warrant ongoing monitoring and proactive intelligence sharing across the security community.

Dutch Finance Ministry Takes Treasury Banking Portal Offline Following Cyberattack

The Dutch Ministry of Finance has taken several of its systems offline, including a key digital portal used for treasury banking, as it investigates a cyberattack first detected on 19 March.

The ministry disclosed the incident last week, clarifying that systems used to manage tax collection, income-linked subsidies, and import/export regulations for citizens and businesses were not affected by the breach. However, some ministry employees were impacted, with no further detail provided on numbers or whether any sensitive data was stolen.

In a statement to the Dutch House of Representatives on Monday, Finance Minister Eelco Heinen confirmed that systems were taken offline on 23 March for security reasons, with the effects rippling out across hundreds of Dutch public institutions — including ministries, government agencies, schools, social funds, and local governments.

“Due to the ongoing forensic investigation and for security reasons, several systems have been temporarily taken offline, including the digital portal for treasury banking,” Heinen said. Around 1,600 public institutions that hold funds with the ministry are currently unable to view their treasury account balances online. Loan applications, deposits, credit requests, and report generation through the portal have also been suspended in the interim.

Heinen was quick to reassure affected parties that access to funds remains intact. “Participants do retain full access to their funds in the Treasury and that incoming and outgoing payments continue as usual through regular banking channels,” he said, adding that minimum service levels would be maintained manually where needed.

The ministry is working with the Dutch National Cyber Security Centre (NCSC) and external forensic experts to investigate the breach. It has notified the Dutch Data Protection Authority and filed a report with the national police’s High Tech Crime Team. No timeline has been given for when the investigation will conclude or when disrupted systems will be restored.

The breach is the latest in a string of cybersecurity incidents affecting Dutch institutions. In September 2024, the country’s National Police Corps was breached by an unnamed state-backed threat actor, who stole work-related contact details of an undisclosed number of officers. More recently, in February, Dutch authorities arrested a man who had demanded something in return for deleting confidential documents the police had mistakenly shared with him.