LiteLLM Supply Chain Attack Hits 500,000 Machines in AI's Worst Breach

A supply chain attack targeting LiteLLM, the widely used open-source library that connects applications to AI services from OpenAI, Anthropic, and other providers, has rapidly escalated into one of the most damaging cybersecurity incidents the AI industry has ever faced. The hacking group TeamPCP compromised a maintainer's credentials and published two malicious versions of the package on PyPI — versions 1.82.7 and 1.82.8 — which remained available for approximately 40 minutes before being identified and pulled. In that narrow window, credential-harvesting malware spread with alarming speed. Security researchers at vx-underground estimate that data was exfiltrated from roughly 500,000 machines.

The most prominent victim to emerge so far is Mercor, a three-year-old AI recruiting startup that achieved a $10 billion valuation after raising $350 million in a Series C round led by Felicis Ventures. Mercor recruits domain experts across medicine, law, literature, and other fields to provide training data that improves AI models for major clients including OpenAI, Anthropic, and Meta. The notorious extortion gang Lapsus$ claims to have obtained up to 4 terabytes of Mercor's data, encompassing 939 gigabytes of source code, database records, Slack conversations, and internal ticketing information. Two videos allegedly showing conversations between Mercor's AI systems and contractors have also surfaced on Lapsus$ leak sites.

The scale of the cascading damage was underscored at RSA Conference, where Mandiant Consulting CTO Charles Carmakal confirmed that Google's incident response unit was aware of more than 1,000 impacted SaaS environments actively dealing with the fallout. The breach was not an isolated event. TeamPCP had already compromised Aqua Security's Trivy vulnerability scanner and Checkmarx's KICS tool in late February, injecting credential-stealing malware across multiple popular open-source security and AI tools before pivoting to PyPI poisoning — a pattern suggesting careful planning and a broad attack surface.

Mercor spokesperson Heidi Hagberg offered a measured response, stating that "the privacy and security of our customers and contractors is foundational to everything we do at Mercor." The company has not publicly detailed the full scope of data exposed, but according to Fortune, the nature of Mercor's business — recruiting human experts who interact with frontier AI systems — raises particular concerns about the sensitivity of the compromised information. Contractors who provided personal details and professional credentials to participate in AI training programs may now face targeted phishing or identity theft.

What makes this incident especially alarming to the broader security community is TeamPCP's announced intention to collaborate with ransomware groups CipherForce and Vect to systematically target companies affected by the stolen credentials. Security researchers fear a prolonged extortion campaign reminiscent of the 2023 Cl0p MOVEit attack, which breached hundreds of organizations and affected nearly 100 million individuals. Teams at Wiz and Palo Alto Networks Unit 42 are actively tracking the fallout as stolen credentials continue to be validated and used to probe victim environments.

The incident exposes a structural vulnerability at the heart of the AI industry: its deep dependence on open-source infrastructure maintained by small teams with limited security resources. LiteLLM is downloaded millions of times daily and serves as connective tissue between countless applications and the APIs of major AI providers. A single compromised maintainer account was enough to inject malicious code into a package trusted implicitly by developers worldwide. The 40-minute exposure window, while brief, proved more than sufficient for automated systems to pull the poisoned versions and propagate the malware across vast numbers of environments.

For an industry racing to deploy AI systems at unprecedented scale, the LiteLLM breach serves as a stark warning. The security of frontier AI applications is only as strong as the weakest link in their software supply chain — and that chain, in many cases, runs through community-maintained packages with minimal gatekeeping. As the investigation continues and the full roster of affected organizations comes into focus, the pressure on AI companies and their investors to fund robust supply chain security measures will only intensify.