MEDIUMSupply Chain
Global

Mercor Breach Linked to LiteLLM Supply-Chain Attack

Monday, April 6, 2026 at 12:30 AM UTC·Source: Bank Info Security

Updated: Monday, April 6, 2026 at 12:30 AM UTC

Executive Summary

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/mercor-breach-linked-to-litellm-supply-chain-attack-image_small-1-a-31340.jpg" align=right hspace=4><b>AI Dependency Attack Reportedly Exposes Data and Source Code</b><br>A LiteLLM supply-chain compromise enabled attackers to harvest credentials and access internal environments at scale at Mercor. The firm was the first to confirm

Analysis

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/mercor-breach-linked-to-litellm-supply-chain-attack-image_small-1-a-31340.jpg" align=right hspace=4><b>AI Dependency Attack Reportedly Exposes Data and Source Code</b><br>A LiteLLM supply-chain compromise enabled attackers to harvest credentials and access internal environments at scale at Mercor. The firm was the first to confirm a LiteLLM breach, and researchers are warning about growing AI system exposure and limited visibility.

Indicators of Compromise (2)

URL (1)
https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/mercor-breach-linked-to-litellm-supply-chain-attack-image_small-1-a-31340.jpg
VirusTotalURLhaus
Domain (1)
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
VirusTotalURLhaus
Source Attribution

Originally published by Bank Info Security on Apr 6, 2026.

Related Threats

MEDIUMSupply Chain

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,

The Hacker News
MEDIUMSupply Chain

Axios npm hack used fake Teams error fix to hijack maintainer account

The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign believed to have been conducted by North Korean threat actors. [...]

BleepingComputer
MEDIUMSupply Chain

Do not get high(jacked) off your own supply (chain)

In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe?

Cisco Talos