A 40-Minute Window That Compromised the AI Ecosystem

On March 24, 2026, malicious versions of LiteLLM — the open-source Python library that serves as the universal API gateway for over 100 large language model providers — were uploaded to PyPI and remained available for approximately 40 minutes. In that narrow window, the package, which sees millions of downloads per day and is present in roughly 36% of all cloud environments according to Wiz research, was pulled into an estimated 500,000 machines and over 1,000 SaaS environments. The most prominent victim to emerge publicly is Mercor, a $10 billion AI recruiting startup whose data was subsequently claimed by the extortion group Lapsus$, which says it exfiltrated 4 terabytes of sensitive information.

This was not an isolated incident. It was the culmination of a cascading supply chain campaign orchestrated by a threat group known as TeamPCP, which began with the compromise of the Trivy security scanner and expanded across npm, Checkmarx KICS, LiteLLM, and Telnyx. Running in parallel, North Korean state actor Sapphire Sleet executed a separate supply chain attack on the Axios npm package. Together, these events represent the most significant coordinated assault on the AI and developer tooling ecosystem to date.

Background: The Convergence of AI Growth and Supply Chain Risk

LiteLLM occupies a uniquely sensitive position in the modern AI stack. Developers use it to route prompts across OpenAI, Anthropic, Google, Azure, and dozens of other LLM providers through a single unified interface. It has become foundational infrastructure for AI agents, RAG pipelines, prompt routing systems, and multi-model orchestration layers. Its ubiquity made it an extraordinarily high-value target — a single compromised package could harvest API keys and credentials for virtually every major AI service simultaneously.

Mercor, founded in 2023, operates an AI-powered recruiting platform that connects domain experts — scientists, doctors, lawyers, and other specialists — with AI companies that need high-quality training data. After raising $350 million in a Series C round led by Felicis Ventures in October 2025, the company achieved a $10 billion valuation. Its client roster includes Anthropic, OpenAI, and Meta, placing it at a critical juncture in the AI data supply chain.

The broader context is equally alarming. According to a 2026 open-source risk analysis report, mean vulnerabilities per codebase climbed from 280 to 581 in a single year — more than doubling. Sixty-five percent of surveyed organizations reported experiencing a software supply chain attack in the past year. The AI ecosystem, with its rapid adoption cycles, heavy reliance on open-source packages, and automated CI/CD pipelines, has become the ideal attack surface for sophisticated threat actors.

Technical Deep Dive: Anatomy of the TeamPCP Cascading Attack

The Kill Chain: From Trivy to LiteLLM

Datadog Security Labs' comprehensive analysis reveals a five-stage campaign spanning March 19–27, 2026. The initial vector was the compromise of Trivy v0.69.4, a widely-used open-source vulnerability scanner maintained by Aqua Security, on March 19. Attackers used stolen credentials to publish the malicious release, which contained code designed to exfiltrate sensitive data including CI/CD tokens and package registry credentials.

Between March 20–22, a self-propagating npm worm spread across 45+ packages with destructive Kubernetes payloads. On March 23, Checkmarx and OpenVSX extensions were compromised. The critical escalation came on March 24, when LiteLLM versions 1.82.7 and 1.82.8 were published to PyPI between 08:30 and 11:25 UTC using a PyPI token stolen during the Trivy compromise.

Malicious Payload Architecture

Version 1.82.7 embedded malicious code in litellm/proxy/proxy_server.py, requiring explicit module import for execution. Version 1.82.8 represented a significant escalation: it included a .pth file (litellm_init.pth) that executes automatically whenever the Python interpreter starts. As Wiz researchers noted, this "effectively bypasses simple inspection techniques" through double base64-encoded payloads executed via subprocess. The implication is severe — the malware ran on every Python process in any environment where the compromised LiteLLM was installed, regardless of whether the application actually imported LiteLLM.

The payload's execution sequence was sophisticated and methodical. First, it harvested environment variables, SSH keys, cloud credentials for AWS, GCP, and Azure, Kubernetes tokens, database credentials, and cryptocurrency wallets. The collected data was encrypted using AES-256 session keys with RSA-4096 key wrapping before exfiltration to models.litellm[.]cloud via HTTP headers. The malware then established persistence at ~/.config/sysmon/sysmon.py with a systemd service unit, polled checkmarx[.]zone/raw for follow-on payloads, and created privileged node-setup-* pods in Kubernetes environments to achieve cluster-wide access.

The Mercor Breach: Scale and Consequences

Lapsus$ claimed to have exfiltrated 4 terabytes from Mercor, including 939 GB of source code, candidate profiles and personally identifiable information, employer data, API keys and secrets, Tailscale VPN usage data, and video recordings of AI system interviews with contractors. The group published alleged stolen materials including Slack communications and internal ticketing data, and offered to auction the data to the highest bidder.

Mercor spokesperson Heidi Hagberg confirmed the company "moved promptly to contain and remediate the incident" with third-party forensics support, though the company notably did not respond to questions about whether confidential AI project data belonging to clients like OpenAI and Anthropic was compromised. A class action lawsuit representing more than 40,000 affected individuals has already been filed.

North Korean State Actors: Parallel Strikes on Developer Infrastructure

The LiteLLM attack did not occur in isolation from nation-state activity. On March 31, 2026, Microsoft Threat Intelligence formally attributed the Axios npm supply chain attack to Sapphire Sleet, a North Korean state actor active since at least 2020. Malicious versions 1.14.1 and 0.30.4 of Axios — a JavaScript HTTP client with over 70 million weekly downloads — were injected with dependencies that downloaded remote access trojans targeting macOS, Windows, and Linux systems. Google separately attributed the attack to North Korean group UNC1069.

The timing was described as "perfectly timed" by security researchers, coinciding with the accelerating adoption of AI coding agents that install packages and write code "without any review or guardrails." North Korean threat actors had already been escalating their developer-targeted campaigns throughout early 2026: publishing 26 malicious npm packages with Pastebin-based command-and-control infrastructure, deploying malicious VS Code projects as backdoor delivery mechanisms, and leveraging AI to enhance fraudulent IT worker infiltration schemes.

While no direct link between TeamPCP and North Korean state actors has been formally established, the near-simultaneous targeting of AI and developer infrastructure by both criminal and state-sponsored groups underscores a convergent threat landscape where the AI supply chain is being attacked from multiple vectors concurrently.

Industry Impact: A Reckoning for AI Supply Chain Security

The scale of downstream impact is staggering. Threat hunters at vx-underground estimate data exfiltration from approximately 500,000 machines, while Mandiant reported over 1,000 impacted SaaS environments actively dealing with cascading effects. TeamPCP's documented collaboration with multiple criminal organizations — Lapsus$ for extortion, CipherForce and Vect for ransomware — suggests a systematic monetization strategy reminiscent of the 2023 Cl0p/MOVEit campaign.

Cisco acknowledged awareness of the Trivy supply chain issue but stated it found "no evidence of impact on customers, products, or services," while declining to clarify whether attackers accessed any Cisco systems. The incident has prompted a wave of security advisories from Datadog, Wiz, Snyk, ReversingLabs, Kaspersky, and the Cloud Security Alliance, all recommending that affected organizations treat the compromise as a "full-credential exposure event."

GitHub's analysis of security across 67 open-source AI projects, combined with Cisco's 2026 State of AI Security report, paints a picture of an ecosystem where AI models, datasets, plugins, and third-party dependencies introduce risks that most organizations simply are not monitoring.

Outlook: Redefining Supply Chain Security for the AI Era

The LiteLLM incident exposes a fundamental architectural vulnerability in the AI ecosystem: tools that aggregate credentials for dozens of AI services create catastrophic single points of failure. When a library that holds the keys to OpenAI, Anthropic, Google, and Azure is compromised, the blast radius extends across the entire AI infrastructure.

Remediation guidance from major security firms converges on several imperatives: identify all hosts, containers, and CI jobs running affected versions; rotate every credential reachable from compromised runtimes with priority on CI/CD and publishing tokens; hunt for outbound traffic to known C2 domains; audit Kubernetes logs for unauthorized secret access or privileged pods; and rebuild systems from known-good images with pinned, verified dependencies.

Looking ahead, the emergence of AI-assisted supply chain attacks — where malicious intent is expressed through natural-language prompts rather than explicit network callbacks — represents a paradigm shift that complicates conventional detection. As the OpenSSF warned in its 2025 predictions, the intersection of AI, state actors, and supply chains defines the most dangerous battleground of 2026 cybersecurity. Every organization building with AI must immediately adopt dependency auditing, package integrity verification, credential isolation, and zero-trust supply chain strategies — or risk becoming the next Mercor.

Key Takeaways

The LiteLLM supply chain attack and Mercor breach represent a watershed moment for AI infrastructure security. The combination of open-source trust assumptions, credential centralization in AI gateway tools, weak token management in CI/CD pipelines, and coordinated targeting by both criminal syndicates and nation-state actors has created an unprecedented threat surface. With 36% of cloud environments running LiteLLM, 500,000 machines potentially compromised, and state-sponsored groups like Sapphire Sleet simultaneously striking developer tooling, the message is unambiguous: the AI development ecosystem's security posture must evolve as rapidly as the technology it supports, or the very tools building the future of AI will become its greatest vulnerability.