Back to Home

LiteLLM Hack: Attack on PyPI and Mercor Leak

Hacker Group TeamPCP Compromised LiteLLM via Trivy, Publishing Malicious Versions on PyPI. The Attack Led to Leak of Secrets and 4 TB of Mercor Data. The Material Breaks Down the Mechanism, Consequences, and Protection Measures for Developers.

Hackers Hacked LiteLLM: 97 Million Installations at Risk
Advertisement 728x90

# Supply Chain Attack on LiteLLM: How Hackers Breached AI Startup Mercor

The AI platform Mercor, which specializes in recruiting for training AI models, fell victim to an attack through the compromise of the Python library LiteLLM. The incident hit a platform valued at $10 billion that pays out over $2 million daily to contractors. Hackers compromised Trivy, gained access to PyPI, and released malicious versions 1.82.7 and 1.82.8 of the library, which is used as a proxy for LLM APIs.

Attack Mechanism via PyPI

The attack kicked off on March 24 when the TeamPCP group hacked the Trivy vulnerability scanner, extracted a publishing token, and uploaded infected LiteLLM packages. The library gets downloaded 97 million times a month and serves as a unified interface to models from OpenAI, Anthropic, and others.

The malicious code activated upon installation, without needing to import litellm. It extracted:

Google AdInline article slot
  • SSH keys;
  • Cloud credentials;
  • Kubernetes secrets;
  • Provider API keys.

The breach was discovered due to a malware glitch: a .pth file triggered recursive process forking, causing a fork bomb that crashed an engineer's system at FutureSearch and exposed the incident.

Consequences for Mercor and the Ecosystem

The Lapsus$ group claimed to have stolen 4 TB of Mercor data via Tailscale VPN. The dump includes:

  • 939 GB of source code;
  • 211 GB user database;
  • 3 TB of video interviews and verification documents.

Analysis of samples revealed data from Slack, ticket systems, and AI agent logs. Mercor confirmed it contained the incident but declined to comment on client data leaks. LiteLLM removed the versions, paused releases, and switched compliance providers to Vanta.

Google AdInline article slot

This is part of the TeamPCP campaign: Axios was previously compromised in npm, with over 60 packages affected across various registries.

Supply Chain Vulnerabilities in the Python Ecosystem

LiteLLM, as a proxy for LLM APIs, is critical for AI applications. The attack highlights risks like:

  • Reliance on open packages without verification;
  • Lack of sandboxing during installation;
  • Massive distribution scale (97 million installs/month).

Developers are advised to:

Google AdInline article slot
  • Verify package hashes before installing;
  • Use virtual environments with pinned versions;
  • Monitor dependencies with tools like Dependabot or Snyk;
  • Audit supply chains using the SLSA framework.

Key Takeaways

  • Threat Scale: One compromised dependency impacted thousands of AI projects using LiteLLM as a gateway to LLMs.
  • Technical Details: The malware stole secrets during pip install, without runtime imports, via the .pth mechanism.
  • Response: PyPI removed the packages, LiteLLM is conducting an audit; Mercor hired forensic experts.
  • Broader Context: The TeamPCP campaign hit >60 packages, including in npm.

The incident underscores the need for zero-trust approaches in supply chain security for AI infrastructure.

— Editorial Team

Advertisement 728x90

Read Next