The First AI Gateway Supply Chain Attack: LiteLLM Breach Hits a $10B Startup and Thousands More

In February, we wrote about Clinejection, a supply chain attack that turned a GitHub issue title into malware on 4,000 developer machines. In our follow-up analysis, we traced the five-step attack chain and asked how many other AI-mediated pipelines had the same weaknesses.

We now have an answer. Thousands.

On March 31, 2026, a group called TeamPCP compromised LiteLLM’s npm package. LiteLLM is an open-source AI gateway, downloaded millions of times per day, that sits between applications and LLM APIs from OpenAI, Anthropic, and dozens of other providers. The malicious code was live long enough for Lapsus$ to exfiltrate data from at least one major target: Mercor, a $10 billion AI recruiting startup backed by $350 million in Series C funding from Felicis Ventures.

The leaked data included Slack messages, ticketing system contents, and videos of conversations between AI systems and human contractors. Mercor processes over $2 million in daily payouts to AI trainers who work with OpenAI and Anthropic. The connection between TeamPCP and Lapsus$ remains unclear, but the outcome is not: an AI gateway compromise gave attackers access to one of the most sensitive nodes in the AI training supply chain.

Why an AI Gateway Is Not Just Another npm Package

Clinejection was a build pipeline attack. The compromised component sat in the CI/CD environment. Developers were affected, but the blast radius was bounded by who installed a specific CLI tool.

LiteLLM occupies a fundamentally different position. An AI gateway is a proxy layer. Every prompt your application sends to an LLM passes through it. Every response comes back through it. Every API key is stored in it or passed through it. Compromise this layer and you get three things simultaneously: all prompts (including proprietary data, customer information, and internal instructions), all responses (including generated code, analysis, and decisions), and all API keys (which grant direct access to the LLM providers themselves).

This is not the same class of risk as a compromised utility library. A poisoned left-pad breaks your build. A poisoned AI gateway reads your mind.

The attack surface scales with adoption. LiteLLM reports millions of daily downloads. Every organization using it routed their most sensitive AI interactions through a single open-source dependency. When that dependency was compromised, the attacker inherited the trust position of every application behind the gateway.

The Same Day, a Different Package

On the same day as the LiteLLM compromise, Socket Security reported that Axios, one of the most popular HTTP client libraries in the npm ecosystem, had also been compromised. A malicious dependency was inserted into several Axios npm versions, adding remote access trojan capability. North Korean hackers were implicated.

Two major npm supply chain attacks in a single day. One targeting AI-specific infrastructure. One targeting general-purpose infrastructure. Both using the same vector: compromise the package, inherit the trust.

The difference is what the attacker gains. Compromising Axios gives you network request interception. Compromising an AI gateway gives you the complete cognitive layer of every application behind it. The prompts contain the business logic. The responses contain the decisions. The API keys unlock the providers. It is a qualitatively richer target than any traditional library.

Compliance Theater, Documented

One detail from the Mercor incident deserves its own section.

After the breach, LiteLLM switched compliance providers from Delve to Vanta. This is revealing. Not because Vanta is better or worse than Delve. Because the switch itself tells you what compliance was doing before the attack: not enough.

Compliance certifications (SOC 2, ISO 27001, and their variants) audit whether you have security processes. They do not audit whether your npm dependencies contain malicious code. They verify that you have a vulnerability management policy. They do not verify that a malicious postinstall script cannot exfiltrate your API keys to an attacker’s server between audit cycles.

Mercor was “one of thousands of companies” affected by the LiteLLM compromise, according to TechCrunch’s reporting. Every one of those companies may have had SOC 2 certification. Every one of those companies was vulnerable anyway.

Switching compliance vendors after a supply chain attack is like changing insurance companies after a car accident. It addresses a real administrative need. It does nothing about the road conditions that caused the crash.

From Theory to Body Count

When we analyzed Clinejection in February and March, we described AI supply chain attacks as a new category with a proof of concept. The attack chain was documented. The playbook was public. We wrote: “The next attacker does not need to invent anything. They just need to find a target that has not yet applied the lessons.”

The LiteLLM attack confirms the pattern but escalates the stakes. Clinejection compromised a build tool. LiteLLM compromised the runtime inference layer. Clinejection affected 4,000 developer machines. LiteLLM affected thousands of production applications. Clinejection’s payload was benign (OpenClaw). LiteLLM’s compromise led to data exfiltration from a company valued at $10 billion.

The escalation trajectory is clear. The first AI supply chain attack was a proof of concept with a harmless payload. The second targeted the inference layer and resulted in real data theft. The third will be worse, because the playbook keeps improving while the defenses do not.

The AI Supply Chain Has Three Layers

Traditional software supply chain security focuses on dependencies. You audit your packages. You verify checksums. You pin versions. This is necessary and insufficient for AI systems.

AI supply chains have three layers that traditional supply chains do not.

The model layer. Where does your model come from? Who trained it? What data was used? If you use a hosted API, you trust the provider’s entire pipeline. We covered this in Your AI Provider Is a Supply Chain Risk.

The gateway layer. How do prompts reach the model? What sits between your application and the API? LiteLLM, LangChain, custom proxy layers, API management platforms. This is where the LiteLLM attack lived. It is the layer most organizations have never audited because it felt like “just another dependency.”

The agent layer. What can your AI systems do? What tools do they have access to? What credentials are available in their execution environment? This is where Clinejection lived. The triage bot had access to build credentials it did not need.

Most organizations have begun thinking about layer one (model risk). Almost none have audited layer two (gateway risk). And as we documented across our Clinejection coverage, layer three (agent risk) remains largely unexamined.

The LiteLLM breach is a forcing function. It proves that the gateway layer is a high-value target. It proves that “downloaded millions of times daily” is not a proxy for security. It proves that the trust you place in an AI gateway is the trust an attacker inherits when they compromise it.

What This Requires

Audit your AI gateway dependencies. If you use LiteLLM, LangChain, or any proxy layer between your application and LLM APIs, treat it as critical infrastructure. Pin versions. Verify checksums. Monitor for unexpected package updates. Do not auto-update AI gateway dependencies in production.

Rotate API keys on a schedule, not after incidents. Every organization affected by the LiteLLM compromise now needs to rotate every API key that passed through the gateway. If you had been rotating keys monthly, the exposure window would be bounded. Most organizations rotate LLM API keys never.

Separate your AI credentials from your application credentials. LLM API keys should not live in the same secret store, with the same access policies, as your database credentials. The blast radius of an AI gateway compromise should not extend to your entire infrastructure.

Evaluate whether you need a gateway at all. LiteLLM’s value proposition is abstracting across multiple LLM providers. If you use one provider, you do not need this abstraction layer. Every dependency you can remove is an attack surface you eliminate. Simplicity is a security strategy.

Stop treating compliance as security. SOC 2 did not prevent this breach. It was never designed to. Compliance tells your customers you have processes. Security is whether those processes actually prevent attacks. These are different things. Treating them as equivalent is how you end up switching compliance vendors after a breach instead of fixing the vulnerability class that caused it.

The Pattern Is Accelerating

February: Clinejection. Proof of concept. Benign payload. 4,000 affected developers.

March: LiteLLM. Production attack. Data exfiltration. Thousands of affected companies. $10 billion of valuation exposed. Axios compromised the same day.

The interval between incidents is shrinking. The severity is increasing. The attack surface is growing as more organizations adopt AI gateways, agent frameworks, and proxy layers without treating them as the critical infrastructure they are.

The malicious code in LiteLLM was removed “within hours.” Hours is fast for incident response. Hours is an eternity when every prompt and API key flowing through the gateway is being intercepted.

Your AI supply chain is not a nice-to-audit-someday concern. It is the most sensitive dependency in your stack, carrying your proprietary prompts, your customer data, and your provider credentials through code you did not write and have probably never read.

Treat it accordingly.

---

This analysis synthesizes Mercor cyberattack report from TechCrunch (March 2026) and Axios npm compromise analysis from Socket Security (March 2026).

Victorino Group helps organizations audit and govern their AI supply chain dependencies. Let’s talk.