Mercor becomes first public victim of cascading LiteLLM supply chain attack

AI recruiting startup Mercor has become the first publicly confirmed downstream victim of the cascading LiteLLM supply chain attack, revealing it was "one of thousands of companies" compromised after threat actors exploited the February Trivy vulnerability scanner breach.

The admission from Mercor follows extortion claims by Lapsus$ that it stole 4 TB of data from the AI recruiting firm, including 939 GB of source code. The company stated its security team "moved promptly to contain and remediate the incident" and is conducting a "thorough investigation" with third-party forensics experts.

How the attack chain unfolded

The compromise began in late February when TeamPCP, the threat actor group behind the attacks, compromised Trivy, an open-source vulnerability scanner maintained by Aqua Security. A month later, they injected credential-stealing malware into the scanner. The same crew then targeted other popular open-source projects, including Checkmarx's KICS static analysis tool and publishing malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI).

According to Google-owned cloud security firm Wiz, researchers observed "indications in Cloud, Code, and Runtime evidence that the credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data."

Industry-wide impact

Cisco confirmed awareness of the Trivy supply chain issue affecting the industry, stating it launched an assessment and found "no evidence of impact on our customers, products, or services" to date. However, the networking giant declined to answer whether any of its systems were accessed by the attackers.

Threat intelligence firm vx-underground estimates data thieves have exfiltrated data and secrets from 500,000 machines. At the RSA Conference, Mandiant Consulting CTO Charles Carmakal revealed knowledge of "over 1,000 impacted SaaS environments" actively dealing with the cascading effects.

"That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000," Carmakal warned. "And we know that these actors are collaborating with a number of other actors right now."

Expanding threat actor ecosystem

The attack campaign has evolved beyond TeamPCP's initial compromise. According to Palo Alto Networks' Unit 42, the group is now partnering with ransomware gangs CipherForce and Vect to leak data and extort victims.

High-profile extortion groups like Lapsus$ are working directly with TeamPCP, leveraging the stolen credentials from the supply chain attacks. This collaboration represents a concerning evolution in cybercrime operations, where initial access brokers and extortion groups form symbiotic relationships to maximize their returns.

What this means for the industry

The Mercor incident demonstrates how supply chain attacks can create cascading effects across the technology ecosystem. What began as a compromise of a single open-source tool has expanded into a multi-faceted campaign affecting thousands of organizations, with the potential for the victim count to grow exponentially.

For companies using open-source tools, this incident underscores the importance of:

• Monitoring for compromised dependencies
• Implementing robust credential rotation policies
• Maintaining comprehensive incident response plans
• Conducting regular security assessments of the software supply chain

The attack also highlights the growing sophistication of threat actor collaboration, where different criminal groups specialize in various aspects of the attack chain and work together to maximize impact and profitability.

As the investigation continues, security researchers expect more companies to come forward as victims of this supply chain compromise, potentially revealing the full scope of the attack's impact on the technology industry.