It was 'one of thousands' hit in LiteLLM supply-chain attack

First public downstream victim, but won't be the last
AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.

"We recently identified that we were one of thousands of companies impacted by a supply chain attack involving LiteLLM," Mercor said on social media in a Tuesday post.

"Our security team moved promptly to contain and remediate the incident," the statement continued, adding that it's conducting a "thorough investigation" with the help of third-party forensics experts, and will "devote the resources necessary to resolving the matter as soon as possible."
While Mercor's statement didn't say how Lapsus$ gained access to its company data following the LiteLLM compromise, last week Wiz security researchers told The Register that "high-profile extortion groups like Lapsus$" were now working with the TeamPCP, the crew believed to be responsible for the Trivy, LiteLLM, and other popular open source project supply chain attacks.

Mercor did not immediately respond to our inquiries.

Following a report that TeamPCP also breached Cisco's internal development environment and stole source code from credentials swiped via the Trivy attack, Cisco told The Register that it is "aware of the Trivy supply-chain issue that is affecting the industry."
"We promptly launched an assessment and based on our investigation to date, we have not seen any evidence of impact on our customers, products, or services," a spokesperson told us.

"We continue to investigate and closely monitor this situation and will follow our well-established procedures for addressing these types of issues and communicating with our customers as appropriate."
Cisco twice declined to answer this question: Were any of Cisco's systems accessed by the attackers?

TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security in late February, and, a month later, injected credential-stealing malware into the scanner.

Later in March, the same crew injected the same malware into open source static analysis tool KICS maintained by Checkmarx, and also published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI).

After all of these attacks, Google-owned cloud security shop Wiz said its researchers "saw indications in Cloud, Code, and Runtime evidence that the credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data."
So while Mercor is the first downstream company to publicly confirm it was a victim of the compromises, it won't be the last.

Threat hunters at vx-underground estimate the data thieves have exfiltrated data and secrets from 500,000 machines , and last week at RSA Conference, Mandiant Consulting CTO Charles Carmakal told reporters that the Google-owned incident response biz knew of "over 1,000 impacted SaaS environments" that were "actively" dealing with the cascading effect of the TeamPCP supply chain attacks.

"That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000," Carmakal said .

"And we know that these actors are collaborating with a number of other actors right now."
In addition to Lapsus$, TeamPCP is also partnering with ransomware gangs CipherForce and Vect to leak data and extort victims, according to Palo Alto Networks' Unit 42 .

®