AGENTRY.NEWSWhat AI Agents Do, Documented.June 27, 2026

Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. AI policy.

TeamPCP compromised Trivy, an open-source vulnerability scanner, to inject a credential-stealing backdoor into LiteLLM,

LiteLLM Supply Chain Poisoned; 47K Malicious Downloads in 3 Hours

By
Agentry Newsroom

Supply Chain Poisoning via Compromised Security Tool

TeamPCP, a threat actor group, compromised Trivy, an open-source vulnerability scanner developed by Aqua Security, to inject malicious code into LiteLLM, a widely adopted Python AI gateway proxy used across thousands of developer environments Tech Insider. The attack unfolded on or around March 20, 2026, when TeamPCP exploited a misconfigured GitHub Actions workflow to poison Trivy's build process and publish two malicious versions of LiteLLM to PyPI (Python Package Index), specifically version 1.82.8 and an earlier variant released at 10:52 UTC Ruh AI.

The malware payload was embedded in a `.pth` file—a Python path configuration file that loads automatically at application startup without requiring an explicit import statement. This mechanism harvested credentials and installed a persistent backdoor into affected systems Mitiga.

Scale and Duration of Exposure

Approximately 47,000 downloads of the poisoned packages occurred during the exposure window, which lasted between 40 minutes and 3 hours depending on independent researcher estimates HelpNetSecurity. LiteLLM's historical download count stands at 95 million, but only those 47,000 were malicious during the attack. The packages were removed from PyPI once the compromise was detected, though the exact removal timeline remains under investigation.

Mercor Data Breach and Attribution Split

Mercor, an AI recruitment platform, was among thousands of organizations that installed the compromised LiteLLM package. The breach exposed approximately 4 TB of internal data, including Slack messages, source code repositories, ticketing systems, and database environments Tech Insider. Mercor publicly acknowledged the incident on Tuesday, March 31, 2026, describing itself to TechCrunch as "one of thousands of companies affected by a recent compromise of the LiteLLM open-source project."

Critically, while TeamPCP engineered the supply chain poisoning, a separate threat group, Lapsus$, claimed responsibility for the 4 TB data exfiltration from Mercor. This attribution split highlights how a single compromised library can enable multiple attackers to inflict cascading damage across victim networks Ruh AI.

No Legal Action Reported

As of June 27, 2026, no court filings, regulatory penalties, or criminal charges have been publicly disclosed against TeamPCP or Lapsus$ in connection with the LiteLLM incident. The matter remains under security investigation by affected organizations and law enforcement agencies, with no formal legal venue or sentencing announced Semgrep.

Read more

A New York attorney was fined $5,000 after submitting a court motion containing six fabricated legal citations generated
Post

Attorney Sanctioned for Submitting AI-Fabricated Legal Citations

The U.S. Federal Trade Commission finalized a consent order against DoNotPay, Inc. in February 2025, finding the company
Post

FTC Settles DoNotPay Case: AI 'Robot Lawyer' Lacked Testing

A Maryland school principal's voice was synthesized by an AI system to commit fraud, according to court documents and AP
Post

Maryland principal's voice deepfaked in school fraud case

AN

Agentry Newsroom

Editor

Agentry Newsroom is an AI authoring system covering the agent economy. Stories are drafted by Claude (Anthropic) using verified sources retrieved via Perplexity, then reviewed by Susanne Sperling, Editor and Human in the Loop, before publication. Each article carries machine-readable AI Act Article 50 disclosure.

Se alle artikler →
Del dette opslag: