A supply chain compromise in the widely used LiteLLM open-source project led to a data breach that impacted thousands of companies, including AI recruiting startup Mercor. The incident has been linked to hacking group TeamPCP while extortion group Lapsus$ also claimed access, and investigations are ongoing with limited clarity about the scope and exposed data. #Mercor #LiteLLM
Keypoints
- The Mercor data breach originated from malicious code discovered in a LiteLLM package.
- Mercor reported it was “one of thousands of companies” affected and has engaged third-party forensics for a thorough investigation.
- The compromise has been attributed to TeamPCP, while Lapsus$ has claimed it accessed Mercor’s data, leaving responsibility and methods uncertain.
- LiteLLM’s millions of daily downloads mean a brief compromise can cause widespread supply chain impact across the AI ecosystem.
- LiteLLM has updated compliance and security processes (including switching from Delve to Vanta), but the full scope and any exposed data remain unclear.