What is the TeamPCP supply chain campaign?

TeamPCP compromised LiteLLM proxy library versions, harvesting credentials from AI/dev environments for downstream breaches like Mercor's.

How do I check if my org used vulnerable LiteLLM?

Audit deps for v1.82.7/1.82.8; rotate any exposed VPN/cloud/API creds immediately, per Mercor fallout.

Look for TruffleHog validation bursts, IAM/EC2/S3 enums, resources named "pawn" or "massive-exfil" in logs.

📋 Compliance & Policy

Mercor just admitted it: TeamPCP's LiteLLM poison pill hit hard. Wiz peels back the post-breach playbook, showing how attackers feast on cloud creds.

Threat Digest Apr 03, 2026 4 min read 13 views

Mercor confirms first official TeamPCP victim via LiteLLM creds, exposing 4TB data. 𝕏
Wiz reveals TeamPCP's 24-hour cloud enum playbook: IAM, EC2, S3 focus with bold naming. 𝕏
Rotate creds now—supply chain credential theft is active, not theoretical. 𝕏

Published by

Threat intelligence. Zero noise.

#LiteLLM compromise #Mercor breach #TeamPCP campaign #cloud enumeration #supply chain attack

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by SANS Internet Storm Center