Llm Security ResearchFinding

LiteLLM trojanized package and downstream compromises

March 31, 2026SentinelOne, blackorbird, CloudSecurityAlliance

SentinelOne and CloudSecurityAlliance describe a trojanized LiteLLM supply chain incident, emphasizing that LiteLLM aggregates many LLM provider API keys, amplifying blast radius and leading to downstream impacts like Mercor.

Open in PulseSee the full expert discussion →

QUOTES

a trojanized version of LiteLLM

TeamPCP moved away from GitHub PATs by targeting PyPI publishing tokens using BerriAI LiteLLM.

TeamPCP turned your security scanners into the attack. Trivy, Checkmarx KICS, LiteLLM, and Telnyx SDK — all compromised in a single coordinated supply chain campaign over 9 days.

The worst part: LiteLLM aggregates API keys for dozens of LLM providers. One poisoned package =

AI startup Mercor confirms security incident linked to LiteLLM supply chain attack

VOICES

SentinelOne

blackorbird

CloudSecurityAlliance

Nicolas Krassas

Traceix

Kimberly

RELATED TERMS

litellmapi keyssupply chaingithublitellmawssupply chainapi keys

OTHER FINDINGS IN LLM SECURITY RESEARCH

Claude Chrome extension zero-click XSS prompt injection chain Claude Code as a secure code review force multiplier (not vuln-finder)Critique of AI 'security researchers' trusting Claude for validity

AMYGDALA PULSE

See what experts are saying right now

This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.

Open Cyber Security Pulse Browse all topics

← Back to Cyber Security