[{"data":1,"prerenderedAt":142},["ShallowReactive",2],{"article-slug-lapsus-claims-theft-of-4tb-of-data-from-ai-firm-mercor-in-supply-chain-attack":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":35,"sources":36,"events":43,"mitre_techniques":47,"mitre_mitigations":60,"d3fend_countermeasures":89,"iocs":94,"cyber_observables":101,"tags":113,"extract_datetime":117,"article_type":118,"impact_scope":119,"pub_date":40,"reading_time_minutes":128,"createdAt":117,"updatedAt":129,"updates":130},"188517d8-5771-46db-b25c-d3dcb110e017","lapsus-claims-theft-of-4tb-of-data-from-ai-firm-mercor-in-supply-chain-attack","Lapsus$ Claims Theft of 4TB of Data from AI Firm Mercor in LiteLLM Supply Chain Attack","Lapsus$ Claims 4TB Data Theft from AI Firm Mercor Following LiteLLM Supply Chain Attack","AI recruiting firm Mercor has confirmed it was impacted by a recent supply chain attack targeting the open-source LiteLLM PyPI package. The incident occurred on March 27, when malicious versions `1.82.7` and `1.82.8` of LiteLLM were published for about 40 minutes. Following the incident, the notorious extortion group Lapsus$ claimed responsibility, listing Mercor on its data leak site and alleging the theft of over 4 terabytes of data. Mercor is currently investigating the breach with third-party forensic experts. The attack originated from a compromise of a dependency used in Mercor's CI/CD workflow, highlighting the cascading risks in the software supply chain.","## Executive Summary\nThe AI recruiting startup **Mercor** has become a high-profile victim of a recent software supply chain attack that targeted the open-source **LiteLLM** project. The company confirmed it was impacted after malicious versions of the **LiteLLM** PyPI package were published on March 27. The incident has been exacerbated by a claim from the notorious extortion group **[Lapsus$](https://attack.mitre.org/groups/G0139/)**, which has listed **Mercor** on its data leak site and boasted of stealing over 4 terabytes of data. This attack underscores the significant and cascading risks of supply chain security, where a brief compromise of one component can lead to a catastrophic breach for downstream users.\n\n---\n\n## Threat Overview\nThe incident is a multi-layered supply chain attack. The attack chain appears to be as follows:\n1.  **Initial Dependency Compromise:** The attack reportedly began with the compromise of **Trivy**, a dependency that **Mercor** used in its CI/CD security scanning pipeline.\n2.  **Maintainer Credential Theft:** The threat actor, identified as **TeamPCP**, used credentials stolen from a compromised maintainer to gain publishing rights to the **LiteLLM** PyPI package.\n3.  **Malicious Publication:** On March 27, **TeamPCP** published two malicious versions of **LiteLLM**: `1.82.7` and `1.82.8`. These versions were available for download for approximately 40 minutes.\n4.  **Downstream Compromise:** **Mercor**, using **LiteLLM** in its environment, pulled one of the malicious versions during this window, leading to a compromise of its systems.\n5.  **Extortion and Data Leak:** The **Lapsus$** group subsequently claimed to have exploited this access to exfiltrate 4TB of data from **Mercor** and is now using this claim for extortion.\n\nThis incident highlights how quickly a supply chain compromise can be weaponized. The 40-minute window was enough for the malicious package to be integrated into a company's systems, leading to a major data breach.\n\n## Technical Analysis\nThe attack demonstrates several key TTPs associated with modern supply chain and extortion attacks:\n- **[`T1195.002 - Compromise Software Supply Chain: Compromise Software`](https://attack.mitre.org/techniques/T1195/002/):** The core of the attack was the injection of malicious code into the **LiteLLM** PyPI package.\n- **[`T1078 - Valid Accounts`](https://attack.mitre.org/techniques/T1078/):** Attackers used a compromised maintainer's credentials to publish the malicious code, a hallmark of groups like **Lapsus$**.\n- **[`T1567 - Exfiltration Over Web Service`](https://attack.mitre.org/techniques/T1567/):** **Lapsus$**'s claim of stealing 4TB of data implies the use of large-scale data exfiltration techniques, likely over standard web protocols to blend in with normal traffic.\n- **[`T1659 - Content Injection`](https://attack.mitre.org/techniques/T1659/):** Malicious code was injected into the legitimate LiteLLM package.\n\n**Lapsus$** is known for its focus on high-impact data theft and extortion, often gaining initial access through social engineering or compromising developer accounts rather than using sophisticated malware.\n\n## Impact Assessment\nFor **Mercor**, the impact is severe and multi-faceted:\n- **Massive Data Breach:** The alleged theft of 4TB of data could include highly sensitive information, such as client data, candidate PII, proprietary source code, and internal company documents. This poses an immense privacy and security risk.\n- **Reputational Damage:** Being publicly named on a leak site by a group like **Lapsus$** causes significant damage to a company's reputation and erodes customer trust, which is particularly damaging for a recruiting firm.\n- **Financial Loss:** The costs of forensic investigation, remediation, potential regulatory fines (e.g., GDPR), and potential loss of business will be substantial.\n- **Intellectual Property Theft:** The loss of proprietary AI models and source code could be devastating for an AI-focused startup.\n\nThe broader impact on the open-source community is a further erosion of trust in public package registries and a stark reminder of the fragility of the software supply chain.\n\n## Detection & Response\n**Mercor** has taken the correct initial steps by containing the incident and engaging third-party forensic experts.\n\nFor other potential victims:\n1.  **Dependency Check:** Immediately check all Python environments and `requirements.txt` files for the malicious **LiteLLM** versions (`1.82.7`, `1.82.8`).\n2.  **Log Review:** Analyze CI/CD and server logs from March 27 to see if the malicious packages were downloaded and installed.\n3.  **Hunt for Exfiltration:** Monitor network logs for any anomalous large outbound data transfers around the time of the incident. This can be aided by **[D3-NTA: Network Traffic Analysis](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)**.\n\n## Mitigation\n- **Pin Dependencies:** Do not use floating versions for dependencies in production. Pin all packages to a specific, vetted version in `requirements.txt` or a similar lockfile. This is a critical form of **[D3-ACH: Application Configuration Hardening](https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening)**.\n- **Local Package Mirror:** For critical dependencies, consider hosting a private, vetted mirror of the package registry. This prevents malicious updates from being pulled directly from the public internet.\n- **CI/CD Security:** Implement security scanning (SCA) in the CI/CD pipeline to check for malicious or vulnerable packages *before* they are installed. However, as this incident shows, the scanner's own dependencies must also be secure.\n- **Egress Filtering:** Implement strict egress filtering on build servers and production environments to block unexpected outbound connections, which can prevent data exfiltration. This aligns with **[D3-OTF: Outbound Traffic Filtering](https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering)**.\n- **Enforce MFA:** Mandate MFA for all developer accounts on platforms like GitHub and PyPI to make credential compromise more difficult.","⛓️ Lapsus$ claims to have stolen 4TB of data from AI firm Mercor after a supply chain attack on the LiteLLM PyPI package. The incident highlights the cascading risks of dependency compromises in CI/CD pipelines. #SupplyChainAttack #Lapsus #DataBreach","AI recruiting firm Mercor was hit by the LiteLLM supply chain attack, with the Lapsus$ extortion group claiming responsibility for stealing 4TB of data.",[13,14,15],"Supply Chain Attack","Data Breach","Threat Actor","critical",[18,22,24,27,30,32],{"name":19,"type":20,"url":21},"Lapsus$","threat_actor","https://attack.mitre.org/groups/G0139/",{"name":23,"type":20},"TeamPCP",{"name":25,"type":26},"Mercor","company",{"name":28,"type":29},"LiteLLM","product",{"name":31,"type":29},"Trivy",{"name":33,"type":34},"PyPI","technology",[],[37],{"url":38,"title":39,"date":40,"friendly_name":41,"website":42},"https://www.securityweek.com/mercor-hit-by-litellm-supply-chain-attack/","Mercor Hit by LiteLLM Supply Chain Attack","2026-04-02","SecurityWeek","securityweek.com",[44],{"datetime":45,"summary":46},"2026-03-27T00:00:00Z","Malicious versions of the LiteLLM PyPI package were published and available for approximately 40 minutes.",[48,52,56],{"id":49,"name":50,"tactic":51},"T1195.002","Compromise Software Supply Chain: Compromise Software","Initial Access",{"id":53,"name":54,"tactic":55},"T1567","Exfiltration Over Web Service","Exfiltration",{"id":57,"name":58,"tactic":59},"T1078","Valid Accounts","Defense Evasion",[61,71,80],{"id":62,"name":63,"d3fend_techniques":64,"description":69,"domain":70},"M1054","Software Configuration",[65],{"id":66,"name":67,"url":68},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","Pin software dependencies to specific, vetted versions to prevent the automatic inclusion of malicious updates.","enterprise",{"id":72,"name":73,"d3fend_techniques":74,"description":79,"domain":70},"M1037","Filter Network Traffic",[75],{"id":76,"name":77,"url":78},"D3-OTF","Outbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering","Implement strict egress filtering on build servers to block unauthorized outbound connections, preventing data exfiltration.",{"id":81,"name":82,"d3fend_techniques":83,"description":88,"domain":70},"M1047","Audit",[84],{"id":85,"name":86,"url":87},"D3-SFA","System File Analysis","https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis","Continuously audit software dependencies using SCA tools to detect malicious or vulnerable packages in the CI/CD pipeline.",[90,92],{"technique_id":66,"technique_name":67,"url":68,"recommendation":91,"mitre_mitigation_id":62},"To prevent incidents like the LiteLLM compromise, organizations must enforce dependency pinning as a strict policy. Instead of allowing version ranges (e.g., `litellm>=1.82.0`), all `requirements.txt` or `pyproject.toml` files must specify exact versions (e.g., `litellm==1.82.6`). This should be enforced with pre-commit hooks and CI pipeline checks. This simple configuration change prevents package managers from automatically fetching a newly published malicious version, giving security teams time to vet updates before they are introduced into any environment. This directly counters the attack vector that allowed Mercor to be compromised within the 40-minute window.",{"technique_id":76,"technique_name":77,"url":78,"recommendation":93,"mitre_mitigation_id":72},"To mitigate the impact of a potential breach like the one claimed by Lapsus$, implement strict egress filtering on all CI/CD runners and production servers. By default, these systems should be denied all outbound internet access. Create explicit allowlist rules for only the necessary destinations, such as connections to a private package mirror, specific API endpoints, or log aggregation services. This 'deny-by-default' posture would have made it extremely difficult for the compromised LiteLLM package to exfiltrate 4TB of data, as its connections to an unknown exfiltration server would have been blocked. This control shifts the security posture from trying to detect malicious activity to preventing it outright.",[95,99],{"type":96,"value":97,"description":98},"other","LiteLLM@1.82.7","Maliciously published version of LiteLLM PyPI package.",{"type":96,"value":100,"description":98},"LiteLLM@1.82.8",[102,108],{"type":103,"value":104,"description":105,"context":106,"confidence":107},"file_name","requirements.txt","Search this file for malicious versions '1.82.7' or '1.82.8' of the 'litellm' package.","File system scanning, Code repository analysis","high",{"type":109,"value":110,"description":111,"context":112,"confidence":107},"network_traffic_pattern","Anomalous egress traffic from build servers","Monitor for large, unexpected outbound data transfers from CI/CD runners or build servers, which could indicate data exfiltration by a compromised dependency.","Netflow analysis, Firewall logs, Cloud provider network logs",[114,19,33,28,115,116],"supply chain","data breach","extortion","2026-04-02T15:00:00.000Z","NewsArticle",{"geographic_scope":120,"companies_affected":121,"industries_affected":122,"other_affected":125},"global",[25],[123,124],"Technology","Other",[126,127],"Artificial Intelligence","Recruiting",6,"2026-04-05T12:00:00Z",[131],{"update_id":132,"update_date":129,"datetime":129,"title":133,"summary":134,"sources":135},"update-1","Update 1","Meta suspended its partnership with Mercor after the LiteLLM supply chain attack exposed sensitive AI training data from clients like Meta, OpenAI, and Anthropic.",[136,139],{"title":137,"url":138},"Global Cybersecurity Incidents April 4, 2026 Major Breaches and Scam Crackdowns","https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFVESqRhH2JCHb6ruQ-pbYmwhZ4PwR2UMHCY7Xdf56fzVoJD1KZwAYW0VY3h_KdW_HyydU7udVsY6uyjA76i4wGcwYUggurh092jcxQyhBMGgglLDKpFoknEmC2s7siaAIJTezD6iAueSUh32j8HTzo7j3t4XW5SqfA5oocm0eMbOCVMQ==",{"title":140,"url":141},"Meta Pauses Work with Mercor Following AI Data Breach Incident","https://vertexaisearch.cloud.google.google.com/grounding-api-redirect/AUZIYQFqBaaUGwji3d2RPhciTflIQVw7UEGL_n3qyLfpNQ6Q2Zoqg3XEjf-fxUBoftJ4-0Jjo-HRSzIch1bdcV1y54Nyl0_DUq0gzTCqQrFA8IZ2tB-0fj49kwHQDJM3U-J9_PFMzj3_Jst5kL6Z_hm11OQTRiiw_lZ0HxUOqQPDhvL8_4KVMzNhcmjvRqnuKZfz8",1775683831044]