Mercor Breach Traced to Malicious LiteLLM Packages in Supply-Chain Attack
AI recruiting firm Mercor confirmed a security incident after attackers leveraged the LiteLLM supply-chain compromise to gain access to its environment. Reports said unauthorized publishes to the project's PyPI packages introduced credential-stealing malware designed to harvest API keys, cloud secrets, and tokens from organizations using the open-source LLM gateway. Mercor said it was among thousands of organizations affected, contained and remediated the issue, and brought in external forensic experts as the investigation continued; LiteLLM separately said it was investigating the malicious package activity and released a clean version of the software.
Security reporting identified Mercor as the first publicly confirmed downstream victim of the campaign, with stolen credentials allegedly used for lateral movement inside internal infrastructure and the exfiltration of roughly 4 TB of data. The reportedly stolen data included source code, internal databases, and cloud-stored operational material such as videos and verification workflows. Researchers linked the incident to a broader wave of poisoned developer-tool compromises, including Trivy and KICS, and warned that related attacks may have impacted more than 1,000 SaaS environments and potentially hundreds of thousands of machines; separate claims by Lapsus$ and reporting tying the operation to TeamPCP remained unresolved in the cited coverage.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Reports detail Mercor data theft and lateral movement
Subsequent reporting said malicious LiteLLM packages stole credentials that were used to access Mercor's internal infrastructure, move laterally, and exfiltrate about 4 terabytes of data including source code, databases, and operational datasets. Separate reporting also noted claims that Mercor data had been obtained by attackers, which Mercor had not addressed at the time.
Mercor confirms security incident tied to LiteLLM compromise
Mercor confirmed it was affected by the LiteLLM supply-chain attack and said its security team moved quickly to contain and remediate the issue while an investigation continued with external forensic experts. Reporting described Mercor as the first publicly identified confirmed downstream victim.
LiteLLM releases a clean software version
LiteLLM released a clean version of its software after the malicious package issue was identified. The release was described as occurring on Monday.
LiteLLM discloses investigation into unauthorized PyPI publishes
LiteLLM said it was investigating unauthorized package publishes on PyPI and that a compromised user PyPI account may have been used to distribute malicious code.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
AI Firm Mercor Confirms Breach as Hackers Claim 4TB of Stolen Data
hackread.com
Open sourceMercor Breach Linked to LiteLLM Supply-Chain Attack
bankinfosecurity.com
Open sourceMercor Breach Linked to LiteLLM Supply-Chain Attack
govinfosecurity.com
Open sourceMercor confirms security incident tied to LiteLLM supply chain attack | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Meta Halts Mercor Work After LiteLLM Supply-Chain Breach Exposes Candidate Data
Meta paused work with AI hiring startup Mercor after Mercor disclosed a breach tied to the malicious `LiteLLM` packages `1.82.7` and `1.82.8`, which were published to PyPI after attackers stole the project’s publishing token through a compromised CI/CD chain involving Trivy tooling. Security reporting said the tainted packages harvested credentials and deployed a multi-stage backdoor capable of stealing API keys, cloud credentials, SSH keys, Kubernetes tokens, CI/CD secrets, database passwords, and other sensitive data, leading responders to treat affected environments as fully compromised. Mercor said the incident exposed source code and candidate information, while reports citing the attackers said as much as **4TB** of data was taken, including candidate profiles, personally identifiable information, employer data, and API keys, with one claim alleging access via `Tailscale` VPN. The fallout spread quickly across Mercor’s customers and partners: Meta reportedly froze contracts indefinitely while investigating whether AI training data or related secrets were at risk, OpenAI reviewed its own exposure while keeping contracts in place, and the breach triggered lawsuits and broader scrutiny of software supply-chain risk across the AI ecosystem.
May 25, 2026
TeamPCP Supply-Chain Attacks Poisoned Trivy, KICS, LiteLLM, Telnyx, and Bitwarden
A broad software supply-chain campaign attributed to **TeamPCP** compromised trusted developer and security tools, beginning with a poisoned **Trivy GitHub Action** after attackers allegedly stole a personal access token via a misconfigured `pull_request_target` workflow. Researchers said malicious commits were pushed to most Trivy action tags, allowing the attackers to steal CI/CD secrets, cloud credentials, SSH keys, Kubernetes configuration, and other sensitive data from downstream users. The campaign then spread through stolen credentials to additional projects, including **Checkmarx KICS**, **LiteLLM** versions `1.82.7` and `1.82.8` on PyPI, the **Telnyx SDK**, and later **Bitwarden CLI**, with malware exfiltrating data to attacker-controlled infrastructure such as `checkmarx[.]zone` and `models[.]litellm[.]cloud`. Reporting also tied the operation to hundreds of compromised systems and large-scale theft of `.env` files and secrets from cloud, AI, payment, database, and messaging environments. The fallout expanded beyond package poisoning into downstream intrusions and data leaks. **Checkmarx** confirmed that data later leaked by **LAPSUS$** came from its private GitHub repository and said the initial access was likely enabled by credentials exposed in the Trivy-related compromise; researchers also linked the broader campaign to **Bitwarden** through shared malware and command-and-control patterns. Malicious KICS Docker images, GitHub Actions, and editor extensions were reported to steal credentials and scan results, while Bitwarden’s CI/CD workflow was allegedly abused to expose an npm token and publish a tainted `@bitwarden/cli` release. Security researchers and vendors warned that the campaign shows how attackers are increasingly targeting open-source maintainers and security tooling as high-leverage entry points, with reported ties to extortion and ransomware groups including **LAPSUS$** and **Vect** raising the risk that stolen access will be resold or used for follow-on attacks.
Jun 10, 2026
Backdoored LiteLLM PyPI Releases Stole Secrets and Targeted Kubernetes Clusters
Malicious versions `1.82.7` and `1.82.8` of the widely used `litellm` Python package were uploaded to PyPI after attackers used compromised publishing access, turning a popular AI gateway library into a supply-chain malware delivery vehicle. Researchers and project maintainers said the tainted code was absent from the upstream GitHub repository, indicating the compromise occurred in the release pipeline or during package publication. The malware executed on import in `1.82.7`, while `1.82.8` added a `litellm_init.pth` file that triggered on every Python interpreter startup, greatly expanding exposure even beyond direct use of the package. PyPI removed or quarantined the malicious releases, and `1.82.6` was identified as the last known clean version. The payload harvested a broad range of secrets, including cloud credentials, SSH keys, API tokens, Kubernetes service-account tokens, database and CI/CD secrets, `.env` files, shell histories, TLS keys, and cryptocurrency wallet data, then encrypted and exfiltrated the data to attacker-controlled infrastructure including `models.litellm.cloud`. Multiple reports said the malware also attempted Kubernetes lateral movement by enumerating clusters, dumping secrets, and deploying privileged pods across nodes, while establishing Linux persistence through a disguised `systemd` user service that contacted `checkmarx.zone` for follow-on payloads. Researchers linked the intrusion with high confidence to **TeamPCP**, tying it to the earlier Trivy compromise and a broader campaign spanning GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI; organizations that installed and ran the affected versions were urged to assume full credential compromise, rotate secrets, inspect for persistence, and review Kubernetes environments for rogue activity.
Jun 15, 2026