FaltrixFaltrix
All posts
Security

The Mercor Breach Shows What Happens When Credentials Are the Last Line of Defense

A supply chain attack swept 4TB of data from Mercor, including Tailscale VPN configs, SSH keys, and 40,000 contractors' personal records. The lesson is not about any single tool. It is about what happens when access depends entirely on secrets that can be stolen.

Sleeping security guard owl beside a padlocked data storage tree while an orange devil figure steals scattered documents, representing the Mercor supply chain credential breach

In late March 2026, a threat group called TeamPCP quietly rewrote a version of Trivy, a widely used open-source vulnerability scanner, and pushed it to GitHub. The change was subtle. Trivy's CI/CD pipeline now contained credential-harvesting code that would execute silently on any system that pulled the new version.

LiteLLM, an AI gateway package with 3.4 million daily downloads, used Trivy in its own build pipeline with an unpinned version reference. On March 24 at 10:39 UTC, LiteLLM's pipeline ran and the malicious code executed. Thirteen minutes later, two compromised versions of LiteLLM were live on PyPI. By 11:48 UTC, a security researcher had spotted the anomaly. PyPI quarantined the packages at 13:38.

The window was under three hours. The damage was roughly 4 terabytes.

What Was Taken

The harvested data from affected systems was comprehensive: SSH keys, AWS and GCP credentials, Kubernetes secrets, API keys, database credentials, .env files, and cryptocurrency wallets. Whatever credentials were reachable on a compromised system, the malicious code swept them.

Among the data stolen from Mercor, an AI training platform whose clients include OpenAI, Anthropic, and Meta, were Tailscale VPN configurations, internal source code, Slack communications, and approximately 40,000 contractors' personal records, including Social Security numbers and video interview recordings. Five federal lawsuits were filed within a week. Meta paused all contracts with the company while investigating.

Lapsus$, the extortion group, subsequently claimed responsibility for the Mercor-specific exfiltration and announced 4TB of stolen data.

This Was Not a Tailscale Vulnerability

Tailscale did not have a vulnerability. The Tailscale VPN configurations that were stolen were taken because they lived, like everything else, in an environment that was swept for credentials. Once malicious code is executing in your build pipeline with access to your file system and environment variables, it takes everything it can reach — and VPN configuration files are reachable.

This distinction matters because it points to the actual problem. The breach did not happen because any specific tool failed. It happened because the entire model of protecting access with secrets is structurally fragile. If your network access depends on credentials — keys, tokens, config files, passwords — and those credentials can be read by any process running on your system, then your network access can be stolen by any process running on your system.

The attacker did not break any encryption. They did not exploit a zero-day in Tailscale or LiteLLM. They stole keys. Then they used the keys.

The Deeper Architecture Problem

Software-defined access controls are only as strong as the credentials that authenticate them. This is not a criticism of any particular product. It is a description of how the category works. A VPN authenticates users and devices using keys and tokens. An API gateway uses API keys. A cloud environment uses IAM credentials. When those secrets are present on a system, they are present on the system, accessible to any sufficiently privileged process that runs on it.

Supply chain attacks are effective precisely because they achieve that privilege through a trusted channel. A build pipeline runs with elevated access. A package pulled from PyPI executes in a trusted context. The attacker does not need to break in. They need to get their code into a place where it already has permission to run.

From that position, every credential on the system is exposed. Every software-defined access control that depends on those credentials is bypassed.

What Changes When Access Is Hardware-Enforced

Hardware-enforced connectivity approaches this problem differently. The cryptographic keys that establish a Teleportal link are generated and stored in hardware. They never appear in a file system, an environment variable, or a build pipeline. There is no credential to sweep, no configuration file to exfiltrate, no token to replay.

Access between locations is established between specific physical devices, not between authenticated users or processes. A compromised pipeline cannot steal what is not there. An attacker with full read access to the file system finds no network credentials to use, because the credentials do not exist in a form that can be read.

This is not a complete answer to supply chain risk. The software running on your machines remains your responsibility. But it removes one of the most exploited attack surfaces in modern breaches: the credential that, once stolen, becomes a working key to your network.

The Mercor incident is a large and well-documented example of where the current model breaks down. The companies involved are not naive about security. They use established tools, follow recognized practices, and still lost 4 terabytes of sensitive data to an attacker who found the right credential in the right place. That outcome is not anomalous. It is the predictable result of a system where network access ultimately depends on secrets that software can read.

Sources: StrikeGraph, Staffing Industry Analysts

Share

Interested in what Teleportal can do for your network?

Learn More