惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
P
Privacy International News Feed
Security Latest
Security Latest
Spread Privacy
Spread Privacy
NISL@THU
NISL@THU
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Last Watchdog
The Last Watchdog
S
Schneier on Security
Engineering at Meta
Engineering at Meta
Google Online Security Blog
Google Online Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Cyberwarzone
Cyberwarzone
C
Cyber Attacks, Cyber Crime and Cyber Security
G
GRAHAM CLULEY
A
Arctic Wolf
博客园 - 聂微东
I
Intezer
腾讯CDC
罗磊的独立博客
T
Tailwind CSS Blog
WordPress大学
WordPress大学
宝玉的分享
宝玉的分享
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
C
Cybersecurity and Infrastructure Security Agency CISA
博客园 - 【当耐特】
P
Palo Alto Networks Blog
Simon Willison's Weblog
Simon Willison's Weblog
W
WeLiveSecurity
N
News and Events Feed by Topic
SecWiki News
SecWiki News
S
Security Affairs
T
Threat Research - Cisco Blogs
The GitHub Blog
The GitHub Blog
F
Fortinet All Blogs
T
Troy Hunt's Blog
N
News and Events Feed by Topic
P
Proofpoint News Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
酷 壳 – CoolShell
酷 壳 – CoolShell
M
MIT News - Artificial intelligence
I
InfoQ
Hacker News: Ask HN
Hacker News: Ask HN
T
The Blog of Author Tim Ferriss
Schneier on Security
Schneier on Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
Vercel News
Vercel News
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security

The Register - Security: Cyber-crime

Election interlopers register 5K+ domains, hope to catch some voting phish Palo Alto VPN bug graduates from advisory to active exploitation ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak Carnival confirms ShinyHunters cruised off with 6M customer records after April breach CrowdStrike, Google shatter Glassworm botnet MyPillow must decide whether to be firm or soft as ransomware crims demand pay A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Shai-Hulud copycat worm infects yet another npm package Grafana Labs admits all its codebase are belong to someone who popped its GitHub account Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files Cache-poisoning caper turns TanStack npm packages toxic 'CopyFail' attackers start cashing in on Linux flaw Cushman & Wakefield confirms vishing cyberattack ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Critical cPanel exploited: 'Millions' of sites could be hit Pro-Iran group turns Ubuntu DDoS into shakedown French prosecutors link 15-year-old to gov mega-breach UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Burglar alarm biz gets burgled, ShinyHunters pursues ransom Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning 500k Biobank volunteers' data listed for sale on Alibaba Another npm supply chain worm hits dev environments France's 'Secure' ID agency probes breach as crooks claim 19M records France's 'Secure' ID agency probes claimed 19M record breach macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets macOS ClickFix attacks deliver AppleScript stealers Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords Third ransomware pro pleads guilty to cybercrime U-turn AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account AI-pwned: Vercel breach traced to stolen employee creds Crook claims to leak 'video surveillance footage' of companies Crook claims to leak 'video surveillance footage' of firms Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Adaptavist Group breach: Ransomware crew claims mega-haul Scot becomes second Scattered Spider-linked crook to plead guilty in US US gets second Scattered Spider-linked guilty plea North Korea targets macOS users in latest heist McGraw Hill linked to 13.5M-record data leak McGraw Hill linked to 13.5M-record data leak Autovista blames ransomware for service disruption Autovista blames ransomware for service disruption No honor among thieves as 0APT threatens rival ransomware gang Krybit 0APT ransomware gang extorts Krybit amid doxxing threat Fake Linux leader using Slack to con devs into giving up their secrets Fake Linux Foundation leader using Slack to phish devs Booking.com warns of possible reservation data exposure Booking.com warns of possible reservation data exposure Gym giant Basic-Fit breached with at least 1M affected US, UK, Canadian cops disrupt $45M global crypto scam www.theregister.com Old Adobe Reader zero-day uses PDFs to size up targets Zephyr Energy loses £700K to contractor payment fraud Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns Russia's APT28 behind latest wave of router, DNS attacks AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack Telnyx package latest hit in PyPI supply-chain compromise Telnyx package latest hit in PyPI supply-chain compromise European Commission admits breach of public web systems European Commission admits breach of public web systems AFC Ajax drops ball as hackers transfer tickets, lift bans AFC Ajax drops ball as hackers transfer tickets, lift bans HackerOne slams supplier for delayed breach notice after staff data exposed HackerOne slams supplier over delayed breach notice Russian initial access broker jailed for 81 months in US Russian initial access broker jailed for 81 months in US Smooth criminals talking their way into cloud environments, Google says Chip tester shrugged off ransomware – then came the leak Chip tester shrugged off ransomware – then came the leak Russians posing as Signal support to launch phishing raids JLR cyber bailout risks dangerous precedent, watchdog warns Unknown attackers exploit yet another critical SharePoint bug Microsoft Intune: Lock it down, warn feds after Stryker Ransomware crims abused Cisco 0-day weeks before disclosure North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un Robotics surgical biz Intuitive discloses phishing attack Cybercrime up 245% since the start of the Iran war AI-driven fraud far more profitable, Interpol warns Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs Interpol sinkholes 45,000 IPs linked to global cybercrime SocksEscort fraud-enabling proxy service taken down CISA warns max-severity n8n bug is being exploited in the wild Iran-linked cyber crew claims hit on US med-tech firm Meta, cops deploy AI and handcuffs in scam crackdown Dutch police collar teen over string of bank card frauds EU law advisor wants cybercrime protections fast-tracked Cybercrime isn't just a cover for Iran's government goons Crooks compromise WordPress sites, spread infostealers Ericsson breach blamed on third party vendor vishing attack Polish cyber police busts gang of alleged teen DDoS peddlers
Mercor says it was 'one of thousands' hit in LiteLLM attack
Jessica Lyons · 2026-04-02 · via The Register - Security: Cyber-crime

REG AD

Cyber-crime

AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack

First public downstream victim, but won't be the last

AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.

"We recently identified that we were one of thousands of companies impacted by a supply chain attack involving LiteLLM," Mercor said on social media in a Tuesday post.

"Our security team moved promptly to contain and remediate the incident," the statement continued, adding that it's conducting a "thorough investigation" with the help of third-party forensics experts, and will "devote the resources necessary to resolving the matter as soon as possible."

REG AD

The company's admission follows claims by extortion crew Lapsus$, later shared on social media by researcher Dominic Alvieri, that it stole 4 TB, including 939 GB of Mercor source code, plus other data, from the AI recruiting firm, and offered to sell the purloined files to the highest bidder.

REG AD

While Mercor's statement didn't say how Lapsus$ gained access to its company data following the LiteLLM compromise, last week Wiz security researchers told The Register that "high-profile extortion groups like Lapsus$" were now working with the TeamPCP, the crew believed to be responsible for the Trivy, LiteLLM, and other popular open source project supply chain attacks.

Mercor did not immediately respond to our inquiries.

Following a report that TeamPCP also breached Cisco's internal development environment and stole source code from credentials swiped via the Trivy attack, Cisco told The Register that it is "aware of the Trivy supply-chain issue that is affecting the industry."

"We promptly launched an assessment and based on our investigation to date, we have not seen any evidence of impact on our customers, products, or services," a spokesperson told us. "We continue to investigate and closely monitor this situation and will follow our well-established procedures for addressing these types of issues and communicating with our customers as appropriate."

Cisco twice declined to answer this question: Were any of Cisco's systems accessed by the attackers?

How it started…

TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security in late February, and, a month later, injected credential-stealing malware into the scanner. 

Later in March, the same crew injected the same malware into open source static analysis tool KICS maintained by Checkmarx, and also published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI).

REG AD

After all of these attacks, Google-owned cloud security shop Wiz said its researchers "saw indications in Cloud, Code, and Runtime evidence that the credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data." 

So while Mercor is the first downstream company to publicly confirm it was a victim of the compromises, it won't be the last. 

How it's going

Threat hunters at vx-underground estimate the data thieves have exfiltrated data and secrets from 500,000 machines, and last week at RSA Conference, Mandiant Consulting CTO Charles Carmakal told reporters that the Google-owned incident response biz knew of "over 1,000 impacted SaaS environments" that were "actively" dealing with the cascading effect of the TeamPCP supply chain attacks.

"That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000," Carmakal said. "And we know that these actors are collaborating with a number of other actors right now." 

In addition to Lapsus$, TeamPCP is also partnering with ransomware gangs CipherForce and Vect to leak data and extort victims, according to Palo Alto Networks' Unit 42. ®