The Claude Mythos Leak, the Mercor Breach, and the LiteLLM Poisoning Are One Attack. The Actor Is TeamPCP. We Mapped Three of the Four Hops in Real Time.

Three stories ran as separate headlines this spring. A malicious package poisoning on PyPI. A data breach at a ten-billion-dollar AI staffing startup. An unauthorized group reaching Anthropic's most powerful cyber model. Read apart, they are three unrelated bad weeks for three different companies. Read together — and they should be read together — they are a single attack, executed by a single actor, along a chain that runs from an open-source security scanner all the way to a frontier lab's offensive-security AI. The actor is TeamPCP. We have been tracking this crew since March, we published three of the four hops as they happened, and the fourth hop is the one that should make every security team that uses a third-party AI vendor go cold.

Start at the beginning, which is where we started in April. On March 19, TeamPCP poisoned 76 of 77 release tags in Aqua Security's Trivy-Action repository — the security scanner that runs inside countless CI/CD pipelines, trusted to find problems, turned into the thing that steals secrets from the pipelines it is trusted to protect. We wrote that up under the title "One Actor, Three Supply Chains," and the thesis then was that the chain does not stop when a vendor publishes a blog post; it stops when the credentials expire, and the credentials had not expired. That was hop one. The Trivy compromise was not the goal. It was the credential-harvesting engine for everything that came after.

Hop two: TeamPCP used credentials harvested through that campaign to reach a maintainer of LiteLLM — the widely used open-source library that brokers calls to large language models — and on March 27 published two malicious versions of the LiteLLM package directly to PyPI. Same technique, new package, higher up the AI stack. LiteLLM sits in the plumbing of organizations that build on top of language models, which means a poisoned LiteLLM is not one victim. It is every downstream consumer who ran the install during the window.

Hop three is the one that connects the supply chain to the headline, and it is the hop most people missed because it arrived dressed as an unrelated breach. One of those downstream LiteLLM consumers was Mercor — the ten-billion-dollar AI recruiting and training startup whose contractors evaluate and train models for the frontier labs. The malicious LiteLLM was the entry point. On March 31, Mercor disclosed a breach: roughly four terabytes exfiltrated, the personal data of more than forty thousand contractors, source code, API keys, interview recordings, biometric data. Meta paused all work with Mercor. OpenAI opened an investigation. The story was reported as a startup having a catastrophic month. It was actually hop three of a TeamPCP campaign that began with a security scanner twelve days earlier.

And hop four is where the chain reaches the thing it was always climbing toward. Among the Mercor data were the details and credentials of contractors who evaluate models for Anthropic. In April, an unauthorized group used exactly that — a model-evaluation contractor's credentials, pulled from the Mercor breach, combined with a guess at Anthropic's URL naming conventions — to reach Claude Mythos Preview, Anthropic's restricted model built to surpass all but the most skilled humans at finding and exploiting software vulnerabilities. The most dangerous offensive-security AI yet built was reached not by a zero-day and not by hacking Anthropic, but by walking a four-hop supply chain that started at a poisoned security scanner and ended at a contractor's reused password. Anthropic's own perimeter held; the chain went around it, through the trusted middle, one vendor at a time.

This is the trust-graph beast we keep naming, drawn end to end with a single actor's fingerprints on every hop. Trivy to LiteLLM to Mercor to Anthropic. A security tool, a model-plumbing library, a training vendor, a frontier lab. Each one trusted the one before it. Each compromise was the credential supply for the next. No single organization in that chain was careless in a way that explains the outcome; the outcome is a property of the chain itself, of an ecosystem where the security scanner, the LLM broker, the data-labeling vendor, and the AI lab are all linked by credentials and integrations that nobody maps as a single attack surface — until someone like TeamPCP maps it for them and walks it.

We want to be precise about what is established and what is inference, because the honest line matters more than the dramatic one. The Trivy, LiteLLM, and Mercor hops are documented — by us in real time for the first two, by Mercor's own disclosure and the reporting for the third. The fourth hop, the Mythos access, is a reported claim that Anthropic has said it is investigating, and Anthropic states no evidence its own systems were impacted. So the cleanest true statement is this: a single actor's supply-chain campaign produced the breach whose stolen credentials were then reportedly used to reach a frontier model. Whether TeamPCP themselves walked the final hop or sold the Mercor credentials to whoever did, the chain is the same chain, and it is one we had three-quarters mapped before the fourth link made the news.

The lesson is the one this platform exists to press, now with the highest-stakes possible illustration. Your third-party AI vendors — your model-eval contractors, your data-labeling partners, your LLM-plumbing dependencies — are not adjacent to your attack surface. They are your attack surface, linked by credentials you do not control to organizations you cannot audit. The frontier lab learned it through a chain that reached its most sensitive model. If the chain reaches there, it reaches you. Map your AI supply chain as one surface, assume any vendor credential may already be in someone's breach dump, and watch the actor, not the individual incident — because the individual incidents were never separate. They were hops.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register