Mercor $10B Data Breach via LiteLLM Supply Chain Attack
Why It Matters
This incident highlights the catastrophic vulnerability of AI supply chains and the permanent risk of biometric data theft in the industry.
Key Points
- Hackers compromised Aqua Security's Trivy scanner to hijack the LiteLLM open-source proxy project.
- A malicious version of LiteLLM (v1.82.8) was uploaded to PyPI, using a .pth file to auto-execute malware upon Python startup.
- Mercor lost 4TB of data, including 3TB of biometric video interviews and KYC documents used for identity verification.
- The breach is linked to developers using an AI coding assistant (Claude) with unrestricted system permissions.
- The stolen data is currently being auctioned by the Lapsus$ hacking group, posing a permanent identity theft risk.
Mercor, an AI talent platform valued at $10 billion, has suffered a massive data breach affecting 4TB of sensitive data, including biometric face and voice recordings. The breach originated from a sophisticated supply chain attack targeting the popular open-source project LiteLLM. Attackers from the group TeamPCP initially compromised the Trivy security scanner by Aqua Security to gain credentials, which were then used to upload a malicious version of LiteLLM (v1.82.8) to PyPI. The malware utilized a hidden .pth file to execute code immediately upon Python startup, harvesting SSH keys and cloud tokens. Reports suggest Mercor developers inadvertently facilitated the breach by providing production credentials to an AI coding assistant running with elevated permissions. The stolen data, which includes source code and identity verification documents for 30,000+ contractors, is currently being auctioned by the Lapsus$ hacking group.
Imagine a $10 billion tech giant getting hacked not because of a bad password, but because a tiny tool they didn't even know they were using was 'poisoned'. A group of hackers broke into a security scanner, used it to sneak malware into a popular AI library called LiteLLM, and then waited for it to spread. At Mercor, developers were using an AI chatbot with too much power, which accidentally let the malware in. The hackers walked away with 4TB of data, including videos of people's faces and voices. Since you can't change your face like a password, these people's identities are now at permanent risk.
Sides
Critics
The threat actor responsible for the initial compromise of the Trivy security scanner and the poisoning of LiteLLM.
The hacking group currently auctioning the stolen 4TB of Mercor data on the dark web.
Defenders
No defenders identified
Neutral
The victimized AI startup currently facing a massive data exfiltration crisis and potential legal liabilities.
The provider of the Trivy scanner which served as the initial entry point for the attack chain.
The open-source developers whose project was hijacked to distribute malware via PyPI.
Noise Level
Forecast
Regulatory bodies are likely to mandate stricter 'Software Bill of Materials' (SBOM) requirements for AI companies to track deep dependencies. We can also expect a shift toward 'air-gapped' or highly restricted environments for AI coding assistants to prevent them from accessing production secrets.
Based on current signals. Events may develop differently.
Timeline
Lapsus$ Auction Begins
The hacking group lists the stolen Mercor database, source code, and biometric files for sale.
Mercor Data Exfiltration
Malware leverages developer AI assistant permissions to exfiltrate 4TB of data to a spoofed domain.
LiteLLM Poisoned on PyPI
Version 1.82.8 of LiteLLM is uploaded with a malicious .pth payload that harvests credentials.
Trivy Scanner Compromised
TeamPCP gains access to credentials through Aqua Security's Trivy tool.
Join the Discussion
Discuss this story
Community comments coming in a future update
Be the first to share your perspective. Subscribe to comment.