By Mercor, a $10 billion AI recruiting startup serving OpenAI and Anthropic, confirmed it was breached in a supply chain attack that compromised the LiteLLM open-source project. Hackers claim 4TB of stolen data including databases, source code, and customer information. But Mercor isn’t alone—the company stated it was “one of thousands” affected when malicious versions of LiteLLM, a Python library with 95 million monthly downloads, were published to PyPI for three hours on March 24, 2026.
How a Security Scanner Became the Backdoor
The attack mechanism reveals why this breach is different from typical supply chain compromises. TeamPCP hackers didn’t target LiteLLM directly—they weaponized the project’s own security infrastructure.
Here’s the cascade: TeamPCP first compromised Trivy, an open-source vulnerability scanner. LiteLLM’s CI/CD pipeline used Trivy without version pinning. When the compromised Trivy ran in LiteLLM’s build process, it stole the PyPI publishing credentials. Game over.
With those credentials, attackers published malicious LiteLLM versions 1.82.7 and 1.82.8 to PyPI. The malicious packages contained three-stage malware: a credential harvester targeting SSH keys, cloud credentials, API keys, crypto wallets, and .env files; an encrypted exfiltration layer using AES-256 and RSA-4096; and a persistence toolkit that deployed privileged pods across Kubernetes clusters and installed systemd backdoors.
The execution was automatic. Version 1.82.7 injected code that ran on import—any process importing LiteLLM triggered the malware. Version 1.82.8 went further, using a .pth file that executed during Python interpreter startup, before application code even ran. The malicious versions were live for three hours. Over 40,000 downloads occurred during that window.
TeamPCP Meets Lapsus$: A Dangerous Partnership
Six days after the LiteLLM compromise, Lapsus$ claimed the Mercor breach on Telegram, offering to sell 4TB of company data. Lapsus$—the group behind previous attacks on Microsoft, NVIDIA, Samsung, and Okta—has formed a partnership with TeamPCP that combines sophisticated technical exploitation with extortion monetization.
This explains why Mercor specifically appeared on Lapsus$’s Telegram despite “thousands” being affected by LiteLLM. High-value targets like a $10 billion AI startup with access to OpenAI and Anthropic training data get elevated for extortion. Technical access teams up with ransomware operators. It’s the new normal for supply chain attacks.
The Blast Radius Is Bigger Than You Think
LiteLLM isn’t some obscure package. It’s critical AI infrastructure used by NASA, Adobe, Netflix, Stripe, and NVIDIA. That 95 million monthly download figure means this compromise reached production environments across Fortune 500 companies, startups, research labs, and individual developers.
Security researchers are blunt about the implications: if your environment ran LiteLLM 1.82.7 or 1.82.8 at any point on March 24, 2026, assume full compromise. Every credential accessible from that environment—API keys, database passwords, cloud tokens, SSH keys, cryptocurrency wallets—is potentially in attacker hands.
That’s not fear-mongering. That’s the technical reality of malware that harvests 50+ categories of secrets, encrypts them with military-grade encryption, and exfiltrates to infrastructure mimicking LiteLLM’s legitimate domains. The three-hour window was long enough for automated dependency updates to pull malicious versions into thousands of production deployments worldwide.
When the Security Tools Themselves Are Compromised
Here’s what makes this attack a watershed moment: LiteLLM is a Y Combinator-backed project with security focus. They used Trivy, a respected vulnerability scanner, in their CI/CD pipeline. They followed industry best practices. They still got owned.
The “trust but verify” model breaks down when the verification tools are the attack vector. Version pinning doesn’t help when the CI/CD pipeline itself is the target. Security researchers call it “weaponizing the protectors”—attackers deliberately target security scanners because they run with elevated privileges in build environments and have access to publishing credentials.
This isn’t an isolated incident. TeamPCP has compromised Trivy, KICS, Checkmarx, LiteLLM, Telnyx, and dYdX in 2026 alone. Each compromise cascades into downstream packages. The current open-source package distribution model—trust by default, rapid automated updates, minimal verification—is fundamentally vulnerable to this attack pattern.
What Developers Should Do Now
Check your environments. Review package lockfiles and CI/CD logs for LiteLLM 1.82.7 or 1.82.8. If you find evidence of installation, treat it as full compromise: rotate all credentials, review access logs, audit secrets accessible from affected systems.
Beyond immediate response, implement layered defenses. Pin dependency versions with lockfiles and include hashes for integrity verification. Separate build-time credentials from production secrets. Apply least privilege to CI/CD pipelines. Generate Software Bill of Materials (SBOM) for releases so you can quickly identify vulnerable components when new attacks surface.
Most importantly, abandon the assumption that popular packages or security-focused projects are inherently safe. The LiteLLM breach proves that Y Combinator backing, millions of downloads, and security tooling don’t prevent compromise. Defense in depth, continuous verification, and incident response planning aren’t optional anymore.
The partnership between TeamPCP’s technical sophistication and Lapsus$’s extortion operations signals a new era for supply chain attacks. More sophisticated, more targeted, more lucrative. The industry’s response over the next year will determine whether the current package ecosystem survives or needs fundamental redesign. For developers, the message is clear: trust nothing, verify everything, and plan for the breach you haven’t discovered yet.
