Executive Summary
In March 2026, AI recruiting startup Mercor confirmed a significant data breach resulting from the LiteLLM supply chain compromise orchestrated by the hacking group TeamPCP. The attackers infiltrated Mercor's systems via a compromised Tailscale VPN credential, leading to the exfiltration of approximately 4TB of sensitive data, including source code, user databases, and identity verification documents. This incident underscores the critical vulnerabilities in software supply chains and the cascading risks they pose to organizations relying on open-source components.
The Mercor breach highlights the escalating threat of supply chain attacks targeting widely-used open-source projects. As organizations increasingly integrate such components into their infrastructure, the potential for widespread compromise grows, emphasizing the need for robust security measures and vigilant monitoring of third-party dependencies.
Why This Matters Now
The Mercor breach underscores the immediate need for organizations to reassess and fortify their software supply chain security. With attackers exploiting open-source vulnerabilities to infiltrate systems, it's crucial to implement stringent monitoring, regular audits, and rapid response strategies to mitigate such risks.
Attack Path Analysis
The TeamPCP supply chain attack began with the compromise of Aqua Security's Trivy vulnerability scanner, allowing attackers to inject malicious code into trusted software components. This initial breach enabled the theft of credentials, leading to unauthorized access and privilege escalation within affected organizations' cloud environments. Subsequently, the attackers moved laterally across systems, deploying additional malware and establishing persistent access. They then set up command and control channels using decentralized infrastructure to manage compromised systems. Sensitive data, including SSH keys and cloud access tokens, were exfiltrated to attacker-controlled servers. The campaign culminated in significant operational disruptions and potential data breaches for numerous organizations.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised Aqua Security's Trivy vulnerability scanner by injecting malicious code into its GitHub repository, leading to the distribution of backdoored versions to users.
Related CVEs
CVE-2026-33634
CVSS 8.8Malicious versions of Trivy and associated GitHub Actions were published, leading to potential credential theft and unauthorized access.
Affected Products:
Aqua Security Trivy – 0.69.4
Aqua Security trivy-action – 0.0.1 – 0.34.2
Aqua Security setup-trivy – 0.2.0 – 0.2.6
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Valid Accounts
Account Discovery
Cloud Service Discovery
Data from Cloud Storage
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain compromises targeting LiteLLM, npm packages expose development infrastructure to credential theft, lateral movement, and post-compromise cloud enumeration attacks.
Information Technology/IT
TeamPCP campaign demonstrates critical risks to CI/CD pipelines, cloud infrastructure, and VPN systems requiring immediate zero trust segmentation and egress controls.
Financial Services
Cloud credential exploitation and data exfiltration threaten compliance frameworks (PCI, NIST) while sophisticated threat actors target encrypted traffic and payment infrastructures.
Health Care / Life Sciences
Biometric data theft and HIPAA compliance violations from supply chain attacks demand enhanced kubernetes security and multicloud visibility for protected health information.
Sources
- TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows, (Wed, Apr 1st)https://isc.sans.edu/diary/rss/32856Verified
- CVE-2026-33634 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-33634Verified
- Known Exploited Vulnerabilities Catalog | CISAhttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
- Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wildhttps://www.wiz.io/blog/tracking-teampcp-investigating-post-compromise-attacks-seen-in-the-wildVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not have prevented the initial compromise of the Trivy scanner, it could have limited the impact by restricting the malicious code's ability to communicate with unauthorized services.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could have constrained the attacker's ability to escalate privileges by enforcing strict access controls, thereby reducing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could have limited the attacker's lateral movement by enforcing strict segmentation and monitoring of internal traffic, thereby reducing the attacker's ability to spread within the environment.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could have constrained the attacker's command and control capabilities by monitoring and controlling outbound communications, thereby reducing the effectiveness of decentralized infrastructure.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could have limited data exfiltration by enforcing strict egress policies, thereby reducing the attacker's ability to transmit sensitive data to external servers.
While Aviatrix Zero Trust CNSF may not have prevented all operational disruptions, it could have reduced the overall impact by limiting the attacker's ability to move laterally and exfiltrate data.
Impact at a Glance
Affected Business Functions
- Software Development
- Cloud Infrastructure Management
- Data Security
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of cloud credentials, SSH keys, Kubernetes configuration files, and CI/CD secrets.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within cloud environments.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud platforms.
- • Utilize Threat Detection & Anomaly Response tools to identify and mitigate malicious behaviors promptly.
- • Regularly audit and rotate credentials to minimize the risk of unauthorized access due to compromised secrets.
