Mercor says it is "one of thousands of companies" hit by the recent LiteLLM attack
The LiteLLM attack, one of the largest supply chain attacks in the AI industry, affected Mercor, whose data was stolen and posted on dark web forums.
A couple of days ago, a group of hackers known as TeamPCP pulled off a ballsy supply chain attack against a core piece of AI infrastructure. They targeted LiteLLM, a super popular open-source API gateway that lets developers talk to over 100 different Large Language Models like OpenAI and Anthropic.
The hackers got in by first compromising the Trivy vulnerability scanner through a misconfigured GitHub Actions workflow. With access, they snatched the PyPI publishing token for LiteLLM and pushed two malicious versions, 1.82.7 and 1.82.8, directly to the public registry. Once infected, the malware would automatically run and steal SSH keys, .env files, cloud provider credentials, cryptocurrency wallets, and AI API keys.
Now, Mercor, an AI recruiting and training-data startup, has confirmed it was "one of thousands of companies" hit by the attack. In a statement to TechCrunch, Mercor spokesperson Heidi Hagberg said:
We are conducting a thorough investigation supported by leading third-party forensics experts. We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.
The attackers were only caught because of a small bug in their code that caused a massive memory leak. Callum McMahon, an engineer at FutureSearch, who was testing an AI plugin that happened to use LiteLLM, noticed his machine kept crashing. He traced the problem back to a malicious file that was recursively spawning new processes, accidentally creating a "fork bomb" that exhausted all the system's RAM.
If you think you have been infected, the first (obvious) step is to rotate all keys and secrets. After that, you need to upgrade LiteLLM. The last safe pre-attack version is 1.82.6, and the first patched post-attack version is 1.83.0.
It seems there has been an increase in security incidents affecting developer tools. Shortly after the LiteLLM attack, the popular JavaScript library Axios was also compromised on NPM. In that case, hackers stole the credentials of a lead maintainer, changed the account email to an anonymous ProtonMail address, and published two poisoned versions. The malware even tries to be clever about it, self-destructing its own malicious scripts after execution and replacing its package.json with a decoy to hide its tracks.