What if the tools you trust to build secure systems are the very ones letting attackers in? That’s not a hypothetical anymore. Mercor, an AI recruiting startup, just confirmed they were breached through a compromised open-source project they depended on: LiteLLM. And they weren’t alone—thousands of companies got hit in the same supply chain attack.
As someone who builds bots for a living, this hits close to home. We all use open source libraries. They’re the foundation of modern development. But this incident exposes a uncomfortable truth: every dependency in your package.json is a potential backdoor.
What Happened at Mercor
In March 2026, Mercor discovered their systems had been compromised. An extortion crew claimed responsibility for stealing data from the company’s infrastructure. The attack vector? LiteLLM, an open-source project that thousands of AI companies rely on to manage their language model integrations.
LiteLLM is exactly the kind of tool bot builders love. It provides a unified interface for working with multiple LLM providers—OpenAI, Anthropic, Cohere, you name it. Instead of writing separate integration code for each API, you use LiteLLM as a proxy layer. It’s convenient, well-maintained, and widely adopted. That popularity made it a perfect target.
When attackers compromised the LiteLLM project, they didn’t just hit one company. They potentially gained access to every system that had pulled in the malicious code. Mercor confirmed they were “one of thousands of companies” affected by the breach.
Why This Matters for Bot Builders
If you’re building AI agents or chatbots, you’re almost certainly using open source packages for LLM integration, vector databases, prompt management, or API routing. Each one is a trust relationship. You’re trusting that the maintainers are who they say they are, that their development environment is secure, and that their package distribution pipeline hasn’t been hijacked.
That’s a lot of trust to place in projects that might be maintained by a handful of volunteers in their spare time.
The Mercor incident shows how quickly things can go wrong. Modern bots often handle sensitive data—customer conversations, API keys, internal documents, training data. If your dependency chain is compromised, attackers can exfiltrate that data, inject malicious behavior into your bot’s responses, or use your infrastructure as a launchpad for further attacks.
The Supply Chain Problem
Supply chain attacks aren’t new, but they’re getting more sophisticated. Attackers know that compromising a popular library gives them access to hundreds or thousands of downstream targets. It’s more efficient than attacking each company individually.
The challenge is that most of us don’t have the resources to audit every line of code in our dependency tree. A typical Node.js project might have hundreds of dependencies when you count transitive packages. Python projects using pip can be just as complex. You’re trusting code written by strangers, often without any formal security review.
Package managers have added some protections—signature verification, two-factor authentication for maintainers, automated vulnerability scanning. But these measures can’t catch everything, especially zero-day compromises where malicious code is injected before anyone knows to look for it.
What You Can Do
First, inventory your dependencies. Know what you’re using and why. Remove packages you don’t actually need. Every dependency you eliminate is one less potential attack vector.
Second, pin your versions. Don’t automatically pull the latest release of every package. Use lock files and review updates before deploying them. Yes, this creates more work. But it also gives you a chance to catch suspicious changes before they hit production.
Third, monitor security advisories. Set up alerts for the packages you depend on. When vulnerabilities are disclosed, you need to know immediately.
Fourth, consider using tools that scan your dependencies for known vulnerabilities. GitHub’s Dependabot, Snyk, and similar services can automatically flag problematic packages. They’re not perfect, but they catch obvious issues.
Finally, architect your systems with the assumption that dependencies might be compromised. Use principle of least privilege. Isolate sensitive operations. Implement monitoring that can detect unusual behavior even if it’s coming from “trusted” code.
The Bigger Picture
The Mercor breach is a wake-up call. Open source is amazing—it accelerates development and enables collaboration at scale. But it also creates systemic risk. As bot builders, we need to be more thoughtful about what we’re pulling into our projects.
This isn’t about abandoning open source. It’s about using it wisely. Treat dependencies as untrusted code until proven otherwise. Build defenses that assume compromise. And stay informed about the security posture of the projects you rely on.
Because the next supply chain attack is already being planned. And your dependencies might be the target.
đź•’ Published: