TeamPCP's 40-Minute PyPI Heist Stole $10B Startup's Cloud Keys
I was debugging a dependency issue last week when I realized something terrifying: 40 minutes is all it takes. That's how long malicious versions of LiteLLM sat on PyPI before getting quarantined on March 24th, 2026. Long enough to infiltrate Mercor, a $10 billion AI recruiting startup processing $2M in daily payouts.
The attack reads like a masterclass in supply chain warfare. TeamPCP didn't just compromise one project—they orchestrated a cascading failure that started with a compromised Trivy GitHub Action, escalated to stolen PyPI tokens, and ended with backdoored packages hitting 3.4 million daily downloads.
<> "What's worth paying attention to is the .pth persistence—it's not just credential theft but active malware that survives upgrades," noted developer Deb McKinney./>
The 73-Account Coverup
Here's where it gets sinister. When security researchers tried to disclose the LiteLLM compromise on GitHub, they hit a wall of spam. 73 hijacked GitHub accounts flooded the issue tracker, closing legitimate bug reports and suppressing disclosure attempts.
This wasn't random chaos. It was coordinated suppression.
The malware itself was elegantly vicious:
- Deployed via .pth files that execute on Python startup
- Survived package upgrades by embedding in site-packages
- Exfiltrated everything: SSH keys, AWS credentials, Kubernetes secrets, database passwords
- Targeted high-value assets across the entire development stack
Mercor's $10B Problem
Mercor contracts domain experts—scientists, doctors, lawyers—from markets like India to train AI models for OpenAI and Anthropic. Their spokesperson Heidi Hagberg confirmed the breach but refused to verify the Lapsus$ connection or scope of data theft.
That's... concerning.
Lapsus$ posted samples of allegedly stolen Slack conversations, ticketing data, and videos of AI-contractor interactions on their leak site. For a company handling sensitive contractor relationships and client data, this exposure could be catastrophic.
The affected ecosystem extends far beyond Mercor:
- DSPy: Stanford's framework for optimizing language model prompts
- MLflow: ML lifecycle management platform
- CrewAI: Multi-agent AI orchestration
- OpenHands: Code generation toolkit
All potentially compromised by those 40 minutes.
The Audit Theater
Delve, a security firm, had certified LiteLLM as secure before the breach. This exposes what TechBuzz.ai calls "gaps in third-party security auditing" in the AI supply chain rush.
Security theater at its finest. A stamp of approval that meant nothing when it mattered.
The root cause? LiteLLM's CI/CD pipeline pulled unpinned Trivy dependencies. Basic security hygiene—pin your GitHub Actions, folks—could have prevented this entire cascade.
Developer Reality Check
If you're running LiteLLM, here's your immediate action list:
1. Purge site-packages entirely—rollbacks won't remove .pth malware
2. Rotate all credentials that touched affected environments
3. Audit outbound traffic logs from March 24th onward
4. Verify release checksums (LiteLLM now provides SHA-256 hashes)
Cybernews warns this could equip 300,000+ cybercrime actors with stolen credentials. Whether that's accurate or sensationalized, the scale of potential damage is staggering.
My Bet: This attack marks a turning point. The AI supply chain's rapid expansion created a perfect storm—millions of downloads, unpinned dependencies, and audit theater masquerading as security. Expect enterprises to dramatically slow their open-source AI adoption while scrambling to implement proper dependency management. The 40-minute window that hit Mercor just proved that in the PyPI ecosystem, trust is measured in minutes, not months.
