Full Report
First public downstream victim, but won't be the last AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.…
Analysis Summary
# Incident Report: LiteLLM Supply-Chain Compromise (Mercor Downstream Impact)
## Executive Summary
Mercor, an AI hiring startup, confirmed it was one of thousands of organizations compromised following a supply-chain attack on the LiteLLM open-source library. The threat actor group TeamPCP injected credential-stealing malware into LiteLLM (and other tools like Trivy), allowing them to harvest secrets and exfiltrate approximately 4 TB of data from Mercor, including nearly 1 TB of source code. The incident is part of a massive global campaign affecting over 500,000 machines and 1,000+ SaaS environments.
## Incident Details
- **Discovery Date:** Late March / Early April 2026 (Publicly confirmed April 1, 2026)
- **Incident Date:** February – March 2026
- **Affected Organization:** Mercor (First confirmed public downstream victim)
- **Sector:** AI / Human Resources / Technology
- **Geography:** Global (Headquartered in USA)
## Timeline of Events
### Initial Access
- **Date/Time:** Late February 2026
- **Vector:** Supply Chain Compromise (Upstream)
- **Details:** Threat actor group "TeamPCP" compromised the **Trivy** vulnerability scanner, followed by the **KICS** static analysis tool and **LiteLLM**. Malicious code was injected into these tools to steal credentials and environment secrets.
### Lateral Movement
- **Details:** Stolen credentials (API keys, cloud secrets, and SSH keys) were "quickly validated" by attackers to move from local developer environments or CI/CD pipelines into broader cloud and SaaS infrastructure.
### Data Exfiltration/Impact
- **Details:** Extortion group **Lapsus$** (collaborating with TeamPCP) claimed credit for the theft of **4 TB of total data**, which specifically included **939 GB of Mercor source code**. The data was subsequently offered for sale on underground forums.
### Detection & Response
- **How it was discovered:** Likely via external threat intelligence reports (Wiz/Unit 42) and subsequent public claims by the Lapsus$ extortion crew.
- **Response actions taken:** Mercor engaged third-party forensics experts, isolated affected environments, and initiated a "thorough investigation" to contain the breach.
## Attack Methodology
- **Initial Access:** Downstream infection via malicious updates in LiteLLM (PyPI) and Trivy.
- **Persistence:** Utilization of stolen long-lived cloud credentials and API tokens.
- **Privilege Escalation:** Not explicitly detailed, but believed to involve the use of administrative secrets harvested by the initial malware.
- **Defense Evasion:** Use of legitimate open-source tools as "Trojan" carriers to bypass traditional perimeter defenses.
- **Credential Access:** Credential-stealing malware injected into developer tools (Trivy/KICS/LiteLLM).
- **Discovery:** Automated validation of stolen secrets to map out victim cloud environments.
- **Lateral Movement:** Transition from local dev environments to source code repositories and SaaS storage.
- **Collection:** Bulk collection of source code and internal databases.
- **Exfiltration:** Large-scale transfer of terabytes of data to actor-controlled infrastructure.
- **Impact:** Data extortion and public leak of sensitive proprietary source code.
## Impact Assessment
- **Financial:** High (Potential for loss of IP and costs related to forensics and remediation).
- **Data Breach:** Critical (4 TB of data; ~939 GB of source code).
- **Operational:** Moderate (Investigation and remediation efforts are resource-intensive).
- **Reputational:** High (Public admission of being a victim in a widely publicized supply-chain attack).
## Indicators of Compromise
- **Network indicators:** Connections to hxxps[://]pypi[.]org/project/litellm (during the period of infection).
- **File indicators:** Malicious versions of `trivy`, `kics`, or `litellm` binaries/packages.
- **Behavioral indicators:** Unusual credential validation patterns; unauthorized access to source code repositories from non-standard IP ranges.
## Response Actions
- **Containment:** Rotation of all secrets and credentials potentially exposed via LiteLLM/Trivy.
- **Eradication:** Removal of compromised package versions from CI/CD pipelines.
- **Recovery:** Full audit of source code repositories for unauthorized clones or persistence mechanisms.
## Lessons Learned
- **Dependency Risks:** Over-reliance on third-party open-source libraries (LiteLLM) and security tools (Trivy) creates a single point of failure.
- **Secret Management:** Plain-text credentials in environments parsed by these tools allowed for immediate lateral movement.
- **Actor Collaboration:** The emergence of "partnerships" between initial access brokers (TeamPCP) and extortion experts (Lapsus$, CipherForce) accelerates the speed from breach to data leak.
## Recommendations
- **Software Composition Analysis (SCA):** Pin package versions and use private mirrors/proxies to vet updates before deployment.
- **Secret Masking:** Implement automated scanners to ensure environment variables and config files do not contain long-lived secrets.
- **Runtime Monitoring:** Monitor CI/CD environments for unexpected outbound network traffic to unknown domains.
- **Zero Trust:** Apply "Least Privilege" to API tokens used by developer tools to limit the scope of a potential compromise.