LiteLLM supply‑chain breach

Meta has paused work with Mercor after a breach that Mercor linked to the open-source tool LiteLLM, and WIRED reported the pause was indefinite as of April 5. Mercor sits in the middle of the artificial intelligence data pipeline, supplying contractors and training work to labs including Meta, OpenAI, and Anthropic. (wired.com) The surprise is where the break-in started. LiteLLM is not a model company or a cloud provider; it is a gateway layer that lets one app talk to many model providers through one interface, like a power strip that connects one wall socket to a whole desk of devices. (docs.litellm.ai) On March 24, LiteLLM said two Python Package Index releases, versions 1.82.7 and 1.82.8, were compromised and then removed. The team said the bad packages were live for about 40 minutes before Python Package Index quarantined them. (github.com, docs.litellm.ai) The malicious code was nasty because it did not wait for a developer to import LiteLLM in code. A `.pth` file inside version 1.82.8 would run automatically every time the Python interpreter started, which is like a booby trap that fires when you open the toolbox, not when you use one specific wrench. (github.com) LiteLLM said the compromise came through a Trivy security-scanner dependency in its release pipeline. Trend Micro said the broader campaign was tied to TeamPCP, which used upstream developer tooling to reach downstream packages that many companies trusted. (docs.litellm.ai, trendmicro.com) That matters because an artificial intelligence gateway often holds the keys to everything around it. Trend Micro said tools like LiteLLM can concentrate application programming interface keys, cloud credentials, and routing logic in one place, so one poisoned package can turn a convenience layer into a collection point for secrets. (trendmicro.com) Mercor said it was “one of thousands of companies” hit by the attack chain. Cybernews reported that attackers claimed to have taken 4 terabytes of Mercor data, including source code and databases, though Mercor has been investigating the full scope with outside forensics. (neowin.net, cybernews.com) The reason Meta reacted so fast is that Mercor was not handling generic office files. The company was involved in training-data operations, and The Next Web reported that the exposed material may have included training methodologies used by Meta, OpenAI, and Anthropic. (thenextweb.com, wired.com) LiteLLM’s response shows how seriously the maintainers took the hit. The project rotated maintainer accounts, paused releases, brought in Google’s Mandiant and Veria Labs, and shipped version 1.83.0 through a rebuilt pipeline with isolated environments and ephemeral credentials. (github.com, docs.litellm.ai) The bigger lesson is that the weak point in artificial intelligence stacks may be the plumbing between systems, not the model at the end of the call. If your gateway, agent runtime, or logging layer touches model keys, customer prompts, and cloud access at once, a supply-chain bug there can spill all three in a single move. (trendmicro.com, docs.litellm.ai)