Hack & Fix

A $10 billion AI startup just got gutted because a security scanner was the entry point.. and their own developers reportedly handed production credentials to an AI chatbot. Mercor trains AI models for OpenAI, Anthropic, and Google DeepMind. They manage 30,000+ contractors, process $2 million in daily payouts, and store recorded video interviews with face and voice data used for identity verification. Three 22-year-old college dropouts built it into a decacorn in two years. The data vault they were sitting on was one of the most sensitive in the entire AI ecosystem. The attack chain is the part that gets worse every sentence. TeamPCP compromised Trivy first. A security scanning tool made by Aqua Security. On March 19. Trivy has broad read access to every environment it scans by design, because that's how vulnerability scanners work. The credentials stolen from the security product were used to hijack LiteLLM, the open-source proxy that routes API calls to every major LLM provider. LiteLLM gets 3.4 million downloads per day. The poisoned version was uploaded straight to PyPI with no corresponding GitHub release, no tag, no review. Version 1.82.8 embedded the payload in a .pth file, which Python executes automatically at startup. You didn't need to import LiteLLM. You didn't need to call it. The malware fired the second Python opened. Three stages. Harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine. Deploy privileged containers across every node in the cluster. Install a persistent backdoor waiting for instructions. The stolen data was encrypted with a hardcoded 4096-bit RSA key and exfiltrated to models.litellm[.]cloud, a domain built to look legitimate. Mercor was downstream. Reports indicate their developers gave production credentials to Claude, an AI coding assistant, which was running with unrestricted system permissions. The compromised LiteLLM package came in through that pipeline. One poisoned dependency turned a $10 billion company's entire infrastructure into a credential harvesting operation. The haul: 939GB of source code. 211GB of database records containing resumes and personal data. 3TB of stored files including video interviews, face scans, and KYC documents. Full access to their TailScale VPN. 4TB total. Lapsus$ is now auctioning it with a "make an offer" price tag. The video interviews are the part that can never be undone. Faces and voices used for identity verification can generate deepfakes. Unlike passwords, biometrics cannot be reset. Thousands of doctors, lawyers, and engineers who signed up to train AI models just had their identities permanently compromised. Every AI company shipping fast right now has the same dependency chain underneath it. Nobody chose to install LiteLLM on that developer's machine. It came in as a dependency of a dependency of a tool they didn't even know they had.