LiteLLM Supply Chain Attack: How TeamPCP and Lapsus$ Breached 500,000 Machines Through an AI Library Saudi Banks May Be Running

Forty minutes. That is how long malicious versions of LiteLLM — an open-source Python library with 97 million monthly downloads — sat on PyPI before being pulled. In that window, TeamPCP's credential-harvesting implant reached an estimated 500,000 machines, compromised more than 1,000 SaaS environments, and gave the Lapsus$ extortion group enough stolen data to auction off 4TB taken from AI recruiting giant Mercor. For Saudi financial institutions quietly integrating AI orchestration frameworks into their fraud detection, customer-service automation, and risk-scoring pipelines, this incident is a watershed moment.

What Happened: A Maintainer Account, Two Bad Packages, and a 40-Minute Blast Radius

LiteLLM is the de-facto standard for routing requests across different large-language-model APIs — OpenAI, Anthropic, Bedrock, Vertex — from a single Python interface. Its ubiquity made it an attractive supply chain target. In late March 2026, the threat group tracked as TeamPCP obtained the credentials of a LiteLLM project maintainer and used them to publish two trojanized versions: litellm 1.82.7 and 1.82.8. Both packages contained credential-harvesting malware designed to silently exfiltrate environment variables, API keys, cloud provider secrets, SSH private keys, and shell history the moment they were imported into a running application.

PyPI responded and pulled both packages within roughly 40 minutes. But in a world where automated CI/CD pipelines fetch dependencies on every build, 40 minutes is an eternity. vx-underground's threat researchers estimate the packages were pulled from PyPI by roughly 500,000 distinct machines before removal. Mandiant's Consulting CTO Charles Carmakal, speaking at RSA Conference 2026, confirmed that Google's incident-response unit was tracking "over 1,000 impacted SaaS environments" directly tied to this single supply chain compromise.

Mercor: The $10 Billion Casualty and the Lapsus$ Auction

Mercor — a $10 billion AI recruiting startup and one of LiteLLM's enterprise users — confirmed the breach publicly on April 2, 2026. The company acknowledged it was "one of thousands of companies" caught in the blast radius, a statement that was simultaneously accurate and alarming. Shortly after Mercor's disclosure, the Lapsus$ extortion group listed the company on its leak site and claimed to hold 4TB of data for auction.

The alleged Lapsus$ dataset includes candidate profiles and personally identifiable information, employer records, user account credentials, full video interview recordings, proprietary source code, internal API keys and secrets, and TailScale VPN configuration data. Whether the full 4TB claim is accurate or inflated for negotiation leverage is secondary to the core fact: an open-source dependency pulled into a standard development environment became the entry point for an enterprise-grade breach at a well-funded, security-conscious technology company.

Why This Is a Direct Concern for Saudi Financial Institutions

Saudi banks and insurance companies are not passive observers of this incident. The accelerating adoption of AI across the Saudi financial sector — for transaction fraud scoring, AML pattern recognition, KYC automation, and customer-facing chatbots — means that LiteLLM and equivalent AI orchestration libraries are increasingly present inside production environments regulated by SAMA. SAMA's Cyber Security Framework (CSCC) mandates rigorous third-party and supply chain risk management under Domain 3 (Cyber Security Operations and Technology). Article 3-3-2 explicitly requires institutions to assess the security posture of software dependencies, not just primary vendors. NCA's Essential Cybersecurity Controls (ECC-1:2018) impose equivalent obligations through control domain 2-12 on third-party and cloud service provider management.

The LiteLLM incident also has direct PDPL implications. If an institution's AI pipeline processed customer data — names, transaction records, KYC documents — while a malicious package version was active in the environment, that constitutes a personal data breach under Saudi Arabia's Personal Data Protection Law. Notification obligations to SDAIA and affected individuals may apply, with timelines that are difficult to meet if the organization lacks real-time dependency monitoring.

Practical Recommendations: What to Do This Week

1. Audit your PyPI dependency graph immediately. Run pip list or inspect your requirements.txt and poetry.lock files for any reference to litellm versions 1.82.7 or 1.82.8. If found, treat the environment as fully compromised and initiate an incident response process.
2. Pin dependency versions and enforce hash verification. Use pip install --require-hashes with a locked requirements.txt generated via pip-compile. This prevents silent upgrades to malicious package versions during automated builds.
3. Rotate all environment variables and secrets in affected systems. The malware's primary payload was credential exfiltration. Any API keys, cloud provider credentials, or database connection strings that existed as environment variables in a potentially affected runtime must be rotated immediately, regardless of whether you can confirm the packages were executed.
4. Implement a Software Bill of Materials (SBOM) process. Mandated under emerging NCA guidance and aligned with SAMA CSCC's supply chain controls, an SBOM gives your security team a real-time inventory of every open-source component in production. Tools like syft, CycloneDX, and GitHub's Dependency Graph can automate generation.
5. Integrate PyPI package integrity monitoring into your CI/CD pipeline. Solutions such as Socket.dev, Phylum, and Checkmarx SCA can flag newly published packages that exhibit suspicious behaviors — anomalous network calls, credential access patterns — before they reach production.
6. Assess your PDPL breach notification obligation. Work with your Data Protection Officer to determine whether any personal data processed through an AI pipeline may have been exposed. Saudi PDPL Article 25 requires notification to SDAIA within a defined period of discovering a breach.

The Bigger Pattern: AI Tooling Is the New Perimeter

The Mercor incident did not exploit a zero-day in a firewall or bypass an EDR solution. It exploited the implicit trust that every developer and every automated pipeline places in a package registry. As Saudi financial institutions accelerate their AI transformation under Vision 2030's financial sector digitisation agenda, the attack surface is expanding into territories that traditional vulnerability management programs were not designed to cover. LiteLLM is one library; the AI tooling ecosystem encompasses hundreds of rapidly-evolving open-source components, each with its own maintainer base and each representing a potential TeamPCP-style insertion point.

SAMA's Technology Risk Guidelines and the forthcoming AI Governance Framework for Financial Institutions are expected to address this gap explicitly. Institutions that wait for regulation to mandate supply chain controls will find themselves reacting to breaches rather than preventing them.

Conclusion

The LiteLLM supply chain attack is a clear signal that the AI adoption wave in Saudi finance needs to be matched with an equally serious investment in AI supply chain security. A 40-minute window of exposure produced a breach measured in terabytes. The same vulnerability exists in every environment running unverified open-source AI dependencies today. Dependency pinning, SBOM generation, secrets rotation, and SAMA-aligned third-party risk reviews are not theoretical best practices — they are urgent operational tasks.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, including a full AI supply chain risk review aligned to SAMA CSCC and NCA ECC requirements.