Logistics cyberattack tied to LiteLLM
The Mercor cyberattack has been linked to vulnerabilities in LiteLLM software, reportedly affecting thousands of companies and exposing a new frontier of digital supply‑chain risk where LLM dependencies touch core logistics systems. The incident underlines the need for supplier cyber‑resilience and deeper software‑supply‑chain mapping. (thecyberexpress.com)
Two malicious liteLLM releases — versions 1.82.7 and 1.82.8 — were published to PyPI on March 24, 2026 and the project’s security post says those packages were live for roughly 40 minutes before being quarantined. (docs.litellm.ai (docs.litellm.ai)) Security researchers say the attacker was TeamPCP, which gained the maintainer’s PyPI credentials after a compromise of the Trivy security scanner used in LiteLLM’s CI/CD pipeline and then pushed the backdoored packages. (snyk.io (snyk.io)) The backdoor techniques differed by version: 1.82.8 added a litellm_init.pth that executed on every Python startup, while the malicious payloads harvested SSH keys, cloud credentials and Kubernetes secrets and attempted lateral movement and persistence. (datadoghq.com (securitylabs.datadoghq.com)) LiteLLM’s reach magnified the blast radius — vendors report roughly 3.4 million downloads per day (≈100M/month) and direct dependencies across major AI agent frameworks, meaning thousands of downstream environments potentially saw credential exposure. (snyk.io (snyk.io); comet.com (comet.com)) AI recruiting startup Mercor confirmed it was “one of thousands” affected and said it moved to contain the incident while engaging third‑party forensics; extortion group Lapsus$ later claimed to have taken data and posted sample files that included Slack and ticketing artefacts. (techcrunch.com (techcrunch.com); theregister.com (theregister.com)) Some reports allege the Mercor haul totaled about 4TB — including 939GB of source code, a 211GB user database and multi‑TB candidate video files — though those figures come from third‑party postings tied to Lapsus$ claims and remain unverified by Mercor. (tornews.com (tornews.com); theregister.com (theregister.com)) Public remediation steps documented by LiteLLM and security vendors include rolling back to safe package versions, rotating exposed keys and tokens, auditing Kubernetes clusters for persistence, and noting that customers using the official LiteLLM Proxy Docker image were not impacted by the poisoned PyPI releases. (docs.litellm.ai (docs.litellm.ai); dev.to (dev.to))
