AI recruiting startup Mercor confirmed it is among thousands of companies impacted by a supply-chain attack involving the LiteLLM library, which resulted in the theft of internal source code.

Key Points

• Mercor confirmed a security breach following the compromise of the LiteLLM open-source library, which was targeted by the threat group TeamPCP.
• Extortion group Lapsus$ reportedly stole 4 TB of data, including 939 GB of Mercor source code, and is attempting to sell the information.
• TeamPCP initiated the campaign by compromising the Trivy vulnerability scanner in February, subsequently injecting malware into KICS, LiteLLM, and Telnyx packages.
• Security researchers estimate the campaign has impacted over 1,000 SaaS environments and potentially compromised credentials on 500,000 individual machines.
• Other major organizations, including Cisco, are currently investigating potential exposure related to the widespread Trivy supply-chain incident.

Why it Matters

This incident highlights the escalating risk of supply-chain attacks where malicious code injected into popular open-source tools provides attackers with broad access to downstream corporate environments. As threat actors collaborate to exploit these vulnerabilities, companies face increasing threats of data exfiltration and extortion that can compromise proprietary source code and sensitive customer information.