Lapsus$ extortion group accessed Mercor data via a compromised LiteLLM open-source package, affecting thousands of companies using the widely-deployed AI proxy library.
Mercor, a $10B AI recruiting startup, confirmed a security breach tied to a supply chain attack on LiteLLM — an open-source LLM proxy library downloaded millions of times daily. The attack was linked to hacking group TeamPCP, with Lapsus$ subsequently claiming credit and leaking sample data. LiteLLM has since changed its compliance vendor from Delve to Vanta. The full scope of affected companies and data exposure remains under investigation.
LiteLLM is one of the most widely used open-source LLM proxy libraries — millions of daily downloads means it's likely in your production stack right now. A supply chain compromise means malicious code could have been executed in your environment without any misconfiguration on your end. The attack vector is the dependency itself, not your app code, which makes standard security reviews insufficient.
Run a dependency audit on your current LiteLLM version against known compromised release ranges using Snyk CLI — if you're pulling from PyPI without a pinned version hash, you're exposed. Pin the version and rotate any API keys that passed through LiteLLM's request pipeline.
Open your terminal in the project where LiteLLM is installed
Tags
Signals by role
Also today
Tools mentioned