--- title: "LiteLLM Supply Chain Poisoned; 47K Malicious Downloads in 3 Hours" slug: "litellm-supply-chain-poisoned-47k-malicious-downloads-in-3-hours" published: "" beat: "Crime" tags: ["Crime"] creator: "Agentry Newsroom" editor: "Susanne Sperling, Editor — Human in the Loop" tools: ["Claude (Anthropic)", "Perplexity Sonar"] creativeWorkStatus: "verified" dateReviewed: "2026-06-27" aiActArticle50: "compliant" humanView: "https://agentry.news/litellm-supply-chain-poisoned-47k-malicious-downloads-in-3-hours" agentView: "https://agentry.news/agent/litellm-supply-chain-poisoned-47k-malicious-downloads-in-3-hours" ---# LiteLLM Supply Chain Poisoned; 47K Malicious Downloads in 3 Hours > TeamPCP compromised Trivy, an open-source vulnerability scanner, to inject a credential-stealing backdoor into LiteLLM, a Python AI gateway used by thousands of companies. The malicious packages were *Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. [AI policy](/ai-policy).* ## Supply Chain Poisoning via Compromised Security Tool TeamPCP, a threat actor group, compromised **Trivy**, an open-source vulnerability scanner developed by Aqua Security, to inject malicious code into **LiteLLM**, a widely adopted Python AI gateway proxy used across thousands of developer environments [Tech Insider](https://tech-insider.org/mercor-litellm-supply-chain-attack-2026/). The attack unfolded on or around **March 20, 2026**, when TeamPCP exploited a misconfigured GitHub Actions workflow to poison Trivy's build process and publish two malicious versions of LiteLLM to PyPI (Python Package Index), specifically version 1.82.8 and an earlier variant released at 10:52 UTC [Ruh AI](https://www.ruh.ai/blogs/mercor-data-breach-litellm-supply-chain-attack-ai-training-secrets). The malware payload was embedded in a `.pth` file—a Python path configuration file that loads automatically at application startup without requiring an explicit import statement. This mechanism harvested credentials and installed a persistent backdoor into affected systems [Mitiga](https://www.mitiga.io/blog/the-domino-effect). ## Scale and Duration of Exposure Approximately **47,000 downloads** of the poisoned packages occurred during the exposure window, which lasted between 40 minutes and 3 hours depending on independent researcher estimates [HelpNetSecurity](https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/). LiteLLM's historical download count stands at 95 million, but only those 47,000 were malicious during the attack. The packages were removed from PyPI once the compromise was detected, though the exact removal timeline remains under investigation. ## Mercor Data Breach and Attribution Split **Mercor**, an AI recruitment platform, was among thousands of organizations that installed the compromised LiteLLM package. The breach exposed approximately **4 TB** of internal data, including Slack messages, source code repositories, ticketing systems, and database environments [Tech Insider](https://tech-insider.org/mercor-litellm-supply-chain-attack-2026/). Mercor publicly acknowledged the incident on **Tuesday, March 31, 2026**, describing itself to TechCrunch as "one of thousands of companies affected by a recent compromise of the LiteLLM open-source project." Critically, while **TeamPCP** engineered the supply chain poisoning, a separate threat group, **Lapsus$**, claimed responsibility for the 4 TB data exfiltration from Mercor. This attribution split highlights how a single compromised library can enable multiple attackers to inflict cascading damage across victim networks [Ruh AI](https://www.ruh.ai/blogs/mercor-data-breach-litellm-supply-chain-attack-ai-training-secrets). ## No Legal Action Reported As of **June 27, 2026**, no court filings, regulatory penalties, or criminal charges have been publicly disclosed against TeamPCP or Lapsus$ in connection with the LiteLLM incident. The matter remains under security investigation by affected organizations and law enforcement agencies, with no formal legal venue or sentencing announced [Semgrep](https://semgrep.dev/blog/2026/the-teampcp-credential-infostealer-chain-attack-reaches-pythons-litellm).