Top 5 · 2026-04-01 · source-backed
Mercor Confirms 4TB Breach via LiteLLM Supply Chain Attack. If You Use LiteLLM, Check Your Versions Now.
Story
A single compromised GitHub Actions workflow. That's all it took.
TechCrunch reports AI recruiting startup Mercor ($10B valuation) confirmed a security incident traced back to a supply chain attack on the open-source LiteLLM proxy. The attack chain is a case study in cascading dependencies. Attackers first compromised Trivy's GitHub Actions workflow. From there, they stole LiteLLM's PyPI publishing token. Then they pushed malicious versions 1.82.7 and 1.82.8 to PyPI that exfiltrated SSH keys, .env files, cloud credentials, and crypto wallets. Lapsus$ claims 4TB of Mercor data including source code and databases. Mercor says they were "one of thousands of companies" affected.
Thousands. LiteLLM is downloaded millions of times daily. Ben Thompson at Stratechery published an analysis the same day arguing AI will make security worse short-term before it gets better. Hard to argue with that when a single compromised CI workflow can cascade into 36% of cloud environments being exposed.
The ugly truth is this attack wasn't sophisticated. It was patient. Trivy to GitHub Actions to PyPI to LiteLLM to Mercor. Each hop was a well-known attack surface. The defense should have been well-known too: pin dependency versions, verify package signatures, audit your CI pipeline's secret exposure. Most teams don't do any of that for their Python dependencies.
If you're running LiteLLM in production, check your installed version right now. If it's 1.82.7 or 1.82.8, you need to rotate every credential that environment had access to. Not tomorrow. Now. Then audit your PyPI dependency pinning strategy, because this won't be the last supply chain attack that targets the AI tool layer. The attacker surface keeps growing as every team adds more AI dependencies, and most of those dependencies don't have the security scrutiny that older, established packages get.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
TeamPCP Goes Multi-Ecosystem: CanisterWorm Hits npm, LAPSUS$ Collaboration Surfaces, and a Bug in the Attacker's Own Code Was the Only Thing That Caught It
Both cover GitHub Actions, LAPSUS, LiteLLM, PyPI; overlapping topics (action, attack, attacker, cloud, compromised); earlier GitHub Actions coverage from 2026-03-25.
CISA Confirms: Your AI Security Scanner Got Backdoored. Federal Deadline Is April 8.
Both cover Attackers, GitHub Actions, LiteLLM, PyPI; overlapping topics (action, attack, attacker, chain, litellm); earlier Attackers coverage from 2026-03-28.
LiteLLM Got Backdoored. The Attack Vector? Their Own Security Scanner.
Both cover LiteLLM, PyPI, Python, SSH; overlapping topics (action, attack, cloud, litellm, pypi); earlier LiteLLM coverage from 2026-03-24.
The Security Scanner Was the Attack Vector. 10,000 CI/CD Workflows Compromised.
Both cover GitHub Actions, LiteLLM, SSH, Trivy; overlapping topics (action, attack, attacker, chain, dependency); earlier GitHub Actions coverage from 2026-03-27.
Shared entities / Shared topic / What happened next
North Korea Backdoored Axios. 100 Million Weekly Downloads, 3 Hours of Exposure, and a RAT on Every Platform.
Both cover GitHub Actions, LiteLLM, Mercor, PyPI; overlapping topics (action, attack, chain, dependency, supply); picks up the GitHub Actions thread on 2026-04-02.
Shared entities / Shared topic / Earlier coverage
Google's Agent Development Kit Had an Unpinned LiteLLM Dependency During an Active Supply Chain Compromise
Both cover LiteLLM, PyPI, Python; overlapping topics (attack, audit, chain, dependency, litellm); earlier LiteLLM coverage from 2026-03-30.
Shared entities / Same source domain / Shared topic / Earlier coverage
Axios Compromised: 83 Million Weekly Downloads, a RAT in Your node_modules, and a 3-Hour Window That Could've Gotten You
Both cover LiteLLM, PyPI; reported by the same outlet (techcrunch.com); overlapping topics (attack, chain, check, compromised, dependency).
Shared entities / Shared topic / What happened next
The Largest npm Worm of 2026 Carries Valid Supply Chain Attestations. That's the Real Problem.
Both cover GitHub Actions, PyPI; overlapping topics (action, attack, attacker, chain, check); picks up the GitHub Actions thread on 2026-05-13.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — April 1, 2026
- AI generated
- no
- Story unit
- 2026-04-01-mercor-confirms-4tb-breach-via-litellm-supply-chain-attack-if-you-use-litellm-check-your-version
- Labels
- source-backed, canonical briefing excerpt