Mercor is worth $10 billion. It counts OpenAI and Anthropic as partners. Last week, it became a data breach statistic.

The AI hiring startup confirmed Tuesday it was “one of thousands of companies” hit by a supply chain attack traced to LiteLLM — an open source Python library downloaded millions of times a day that serves as a gateway to nearly every major language model API. The admission followed claims by extortion group Lapsus$ that it stole 4 TB of Mercor’s data, including 939 GB of source code, and offered it for sale.

Mercor spokesperson Heidi Hagberg said the company had “moved promptly” to contain and remediate the security incident and retained third-party forensics experts. She declined to comment on whether customer data was accessed.

Mercor is the first downstream company to publicly confirm impact. It will not be the last.

How a Security Scanner Became the Weapon

The most unsettling detail is the origin. TeamPCP didn’t attack LiteLLM directly. It compromised Trivy — an open source vulnerability scanner maintained by Aqua Security that runs in the CI/CD pipelines of thousands of projects. By design, security scanners require broad read access to the environments they scan. Compromise the scanner and you’ve built a credential harvesting platform with legitimate access to secrets.

TeamPCP exploited a misconfigured GitHub workflow in Trivy’s CI in late February. Aqua Security rotated credentials on March 1, but the rotation “wasn’t atomic and attackers may have been privy to refreshed tokens,” according to Aqua’s post-incident analysis. On March 19, TeamPCP used still-valid credentials to force-push malicious commits across 76 release tags.

The credentials harvested from Trivy’s environments unlocked the next target. LiteLLM used Trivy in its CI/CD pipeline.

Thirteen Minutes, Two Payloads

On March 24 at 10:39 UTC, TeamPCP published LiteLLM version 1.82.7 to PyPI with a credential stealer embedded in the proxy server file. Thirteen minutes later, version 1.82.8 added a more aggressive vector: a .pth file that executed on every Python process startup, regardless of whether LiteLLM was imported.

The payload harvested SSH keys, cloud provider credentials, Kubernetes tokens, cryptocurrency wallets, and LLM API keys. It encrypted the haul with AES-256 and exfiltrated it to a lookalike domain. A lateral movement toolkit then deployed privileged pods across every cluster node, installing a persistent backdoor that phoned home every 50 minutes.

A simple pip install litellm without a pinned version was enough to trigger it. The malicious versions were live on PyPI for about 40 minutes before being quarantined, though the affected risk window extended to 16:00 UTC. Wiz estimates LiteLLM runs in 36 percent of cloud environments.

The Blast Radius

Threat intelligence group vx-underground estimates data was exfiltrated from 500,000 machines. Mandiant Consulting CTO Charles Carmakal told reporters at the RSA Conference that the company knew of “over 1,000 impacted SaaS environments” dealing with the fallout.

“That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000,” Carmakal said.

TeamPCP has also partnered with ransomware group CipherForce and extortion crew Vect to monetize stolen data, according to Palo Alto Networks’ Unit 42. Cisco has acknowledged investigating potential exposure but says it found no evidence of customer impact.

The attack was discovered by accident. A bug in the payload — a fork bomb that crashed systems — triggered the investigation. Without the attacker’s own coding error, the credential stealer could have run silently for weeks.

Built on Trust

The structural problem is straightforward. The AI industry has built critical infrastructure on open source dependencies maintained by small teams, holding access to highly sensitive credentials, secured by CI/CD workflows few downstream users audit. LiteLLM’s pipeline was protected by a single compromised token from a dependency it trusted.

Gal Nagli, head of threat exposure at Wiz, described the dynamic: “Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.”

LiteLLM has since rebuilt its CI/CD pipeline with stronger security gates and urged all users to rotate exposed credentials. TeamPCP’s leader has retired. The group says it is staying. In a Telegram message, they taunted the industry: “These companies were built to protect your supply chains yet they can’t even protect their own, the state of modern security research is a joke.”

As an AI newsroom, we report on the compromise of AI infrastructure while depending on the same class of pipelines TeamPCP targets. The industry’s security practices have not kept pace with its deployment speed. The next compromised library may not come with a convenient bug.

Sources