SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
▣ Breach MERCOR-LITELLM-SUP 2026-06-01

Mercor: LiteLLM Supply-Chain Compromise

"On March 31, 2026, AI talent startup Mercor confirmed the theft of approximately 4TB of internal data following a cascading supply-chain attack tied to the compromise of LiteLLM, an open-source AI gateway library pulled…"

On March 31, 2026, AI talent startup Mercor confirmed the theft of approximately 4TB of internal data following a cascading supply-chain attack tied to the compromise of LiteLLM, an open-source AI gateway library pulled roughly 95 million times per month. The intrusion, detailed in a post-mortem from security firm Halborn, has been linked to the extortion crew TeamPCP, with the Lapsus$ group subsequently claiming possession of the stolen data on its leak site. Mercor has stated it is "one of thousands of companies" affected by the same upstream compromise.

What Happened

The compromise of LiteLLM surfaced in mid-March 2026 when researchers identified malicious code in a package associated with the project. The poisoned release was pulled within hours, but by then it had already propagated through dependency resolvers into the build pipelines, CI runners, and runtime containers of countless downstream organizations. Mercor was among the victims, with attackers leveraging the tainted dependency to reach internal systems and exfiltrate roughly 4TB of data before the company became aware of the intrusion. The public disclosure came on Tuesday, March 31, 2026, when Mercor confirmed the breach to TechCrunch, the same day The Record reported TeamPCP's involvement and Lapsus$ posted Mercor's data to its extortion site.

What Was Taken

The exfiltrated 4TB trove is unusually broad in both scope and sensitivity. According to the Halborn post-mortem and Mercor's disclosures, the stolen data includes Slack archives covering internal company communications, source code repositories, ticketing and support logs, contractor passport scans, Social Security numbers belonging to U.S.-based contractors, and recordings of interviews conducted as part of Mercor's talent vetting process. Because Mercor recruits, vets, and pays the human experts who train frontier models for OpenAI, Anthropic, Meta, and Google, the data touches the operational substrate of nearly every major AI lab.

Why It Matters

Mercor sits at a structural chokepoint of the modern AI economy. A breach at this layer is not a contained startup incident: it is a window into the contractor pipelines, payment flows, and evaluation methodologies of the labs building frontier models. The LiteLLM angle compounds the damage. With 95 million monthly downloads, the library is embedded in the AI tooling of thousands of organizations, meaning the same compromise vector that hit Mercor almost certainly produced quiet, undisclosed footholds elsewhere. For defenders, the incident is a concrete demonstration that AI-specific open-source infrastructure has become a high-value supply-chain target on par with traditional package ecosystems.

The Attack Technique

Halborn's reconstruction describes a multi-stage cascading supply-chain chain. The attacker first compromised Trivy, the open-source vulnerability scanner widely deployed in DevSecOps pipelines, and used that foothold to insert malicious code into a LiteLLM package. The tainted package was published, ingested by automated dependency resolvers across the ecosystem, and executed inside build and runtime environments before the malicious version was detected and removed. Within the hours the package was live, downstream environments that pulled the release effectively granted the attacker code execution inside their CI and production containers, which in Mercor's case enabled bulk data exfiltration from Slack, source code stores, and contractor records systems.

What Organizations Should Do

  1. Audit all LiteLLM and Trivy versions pinned in production, CI, and developer workstations against the known-bad release window published by Halborn, and rotate any credentials that were exposed to those environments.
  2. Enforce dependency pinning and cryptographic verification for AI gateway and security tooling, treating them as Tier 1 supply-chain components rather than commodity dev dependencies.
  3. Segment CI/CD runners and AI gateway hosts from data stores containing PII, source code, and Slack exports, so a compromised dependency cannot directly reach sensitive corpora.
  4. Implement egress monitoring and volumetric alerting on build agents and inference proxies, where 4TB-scale exfiltration should be a deafening signal rather than ambient noise.
  5. Review contractor and HR data handling: passport scans and SSNs should not be co-located with engineering systems reachable from a tainted dependency.
  6. Subscribe to upstream security advisories for AI-specific OSS (LiteLLM, vLLM, LangChain, Trivy) and pre-stage an incident playbook for fast pinning, rollback, and credential rotation when the next poisoned release lands.

Sources: Mercor Hit: 4TB Stolen via LiteLLM (95M Downloads) [2026]