AI recruitment company Mercor has recently revealed its involvement in the LiteLLM supply chain breach, during which attackers claimed to have stolen 4 terabytes of sensitive data. This breach, part of the broader Trivy supply chain attack, occurred on March 27.
Details of the LiteLLM Breach
The origin of the LiteLLM incident is linked to the Trivy dependency used in LiteLLM’s continuous integration and continuous deployment (CI/CD) security processes. According to LiteLLM, compromised credentials allowed the TeamPCP hacking group to release two malicious versions of the LiteLLM PyPI package, specifically 1.82.7 and 1.82.8, which were available for download for a brief period of 40 minutes.
Despite the short window, the packages were likely downloaded by numerous users, including Mercor, as LiteLLM is integrated into 36% of cloud environments worldwide.
Mercor’s Response and Investigation
Mercor confirmed its status among the many companies affected by the supply chain attack involving LiteLLM. In response, Mercor’s security team acted swiftly to contain and mitigate the incident. The company is currently conducting a comprehensive investigation with the aid of top forensic experts to understand the extent and implications of the breach.
While Mercor has not provided specific details regarding the impact, the Lapsus$ extortion group has listed Mercor on its leak site. They claim the stolen data includes candidate profiles, personal information, employer data, user credentials, video interviews, proprietary information, source code, and TailScale VPN details.
Collaboration Between TeamPCP and Lapsus$
Recent reports have highlighted a partnership between TeamPCP and Lapsus$, aimed at monetizing the data and access acquired through a widespread supply chain campaign. The appearance of Mercor on Lapsus$’s leak site aligns with this strategy, although Mercor has yet to officially confirm these claims.
Inquiries have been sent to Mercor for further comments on the situation, and updates will follow as more information becomes available.
For related news, consider reading about the rise of stolen logins fueling cyberattacks, TeamPCP’s transition from open-source software to AWS environments, and other recent high-profile cyber incidents.
