What caused the Mercor LiteLLM supply chain attack?

TeamPCP compromised Trivy deps, pushing bad PyPI packages for 40 minutes. Auto-downloads hit Mercor's CI/CD.

What data did Lapsus$ steal from Mercor?

Allegedly 4TB: candidate PII, video interviews, source code, keys, Tailscale VPN data. Mercor unconfirmed.

How widespread is the LiteLLM breach risk?

LiteLLM in 36% cloud envs; thousands likely pulled malicious versions before takedown.

Mercor's 4TB Nightmare: LiteLLM's Supply Chain Poison Reaches AI Hiring Giant

LiteLLM lurks in 36% of cloud environments — and now it's bitten Mercor hard. Extortionists boast 4TB of pilfered data, from video interviews to VPN creds.

Threat Digest Apr 03, 2026 3 min read 10 views

⚡ Key Takeaways

LiteLLM's 36% cloud prevalence turned a 40-minute PyPI slip into thousands of potential victims, including Mercor. 𝕏
Lapsus$ claims 4TB Mercor data theft — PII, code, creds — highlighting AI firms' OSS vulnerabilities. 𝕏
Supply chain attacks like this echo SolarWinds; AI startups must harden deps or face trust implosion. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#Lapsus$ extortion #LiteLLM attack #Mercor breach #supply chain attack

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by SecurityWeek

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Mercor Breach Exposes TeamPCP's LiteLLM Rampage in Real Time

Axios npm Poisoning: Hackers Hijack Your Dev Secrets via 100M Downloads

North Korean Hackers' Slick Slack Trick: Inside the Axios npm Compromise

North Korea Poisons Axios NPM with RATs in Bold Supply Chain Hit

Stay in the loop