Halborn — Mercor Lost 4 TB via LiteLLM Supply-Chain Breach

AI relevance: Mercor's AI talent platform connects experts who train frontier models for OpenAI, Anthropic, Meta, and Google — a cascading supply-chain compromise through poisoned LiteLLM packages turned a routine dependency into an ecosystem-level data breach.

What happened

• On March 31, 2026, Mercor confirmed it had been hit by a supply-chain attack traced to the compromise of LiteLLM, an open-source AI gateway library downloaded roughly 95 million times per month.
• Security firm Halborn published a post-mortem describing a multi-stage chain: the attacker first compromised Trivy, an open-source vulnerability scanner in DevSecOps pipelines, then leveraged that foothold to inject malicious code into a LiteLLM package on PyPI.
• The poisoned package was pulled within hours, but with 95 million monthly downloads, that window was long enough to propagate into build pipelines, CI runners, and runtime containers of "thousands of companies."
• Mercor lost approximately 4 TB of internal data, including Slack archives, source code, ticketing logs, contractor passport scans, Social Security numbers, and interview recordings.
• The attacker — identified as TeamPCP with subsequent claims by the Lapsus$ extortion group — reused credentials stolen from a prior vulnerability scanner breach to access PyPI.
• The Halborn write-up describes credential exfiltration from downstream environments, lateral movement into Mercor's infrastructure, and data staging to external servers.
• Mercor told TechCrunch it was "one of thousands of companies" affected by the same compromise, making this one of the widest-impact AI supply-chain incidents of 2026.

Why it matters

• LiteLLM sits at the core hub of AI infrastructure — it routes authentication, billing, and model calls across hundreds of LLM providers. Compromising it grants downstream credential harvesting at scale.
• The attack demonstrates how a single compromised open-source dependency in the AI tooling layer can cascade through CI/CD pipelines into runtime environments without the organization's awareness.
• TeamPCP has now been linked to compromised Trivy, KICS, LiteLLM, DurableTask, and dozens of npm packages — showing sustained, cross-ecosystem supply-chain targeting.
• Mercor's position as a recruiting hub for frontier model trainers means the stolen data touches almost every major AI lab on Earth, raising the stakes well beyond a single breach.

What to do

• Audit every system that depends on LiteLLM, including transitive dependencies. Pin versions and verify checksums against known-good releases.
• Rotate all PyPI tokens, CI/CD secrets, and cloud credentials that were accessible from any environment where LiteLLM or Trivy was installed.
• Enable PyPI trusted publishing and artifact signing (e.g., Sigstore) for all AI infrastructure packages in your supply chain.
• Monitor CI/CD runner memory for credential extraction — TeamPCP's malware extracted PYPI_PUBLISH tokens directly from runner memory.

Sources

• TechCrunch — Mercor says it was hit by cyberattack tied to compromise of open-source LiteLLM project
• Tech Insider — Mercor Hit: 4TB Stolen via LiteLLM
• eSecurity Planet — TeamPCP Compromised LiteLLM in AI Supply Chain Attack
• STAR Labs — Race Against The Patch: Four Exploit Chains in LiteLLM
• The Record — Mercor confirms security incident tied to LiteLLM