"We believe that the compromise originated from the Trivy dependency used in our CI/CD security scanning workflow. Our security team moved promptly to contain and remediate the incident."
"Lapsus$ is auctioning the information, which allegedly includes candidate profiles, personally identifiable information, employer data, user accounts and credentials, video interviews, proprietary information, source code, keys and secrets, and TailScale VPN data."
Mercor disclosed its involvement in the LiteLLM supply chain attack, which occurred on March 27. The attack stemmed from a prior Trivy supply chain breach. Malicious LiteLLM package versions were available for download for about 40 minutes, likely affecting thousands of companies, including Mercor. The Lapsus$ extortion group claimed to have stolen over 4TB of sensitive data, including candidate profiles and proprietary information. Mercor is conducting a thorough investigation with third-party forensics experts to address the incident.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]