אִם יִרְצֶה הַשֵּׁם
Count your hops. Map every vendor that holds credentials, tokens, or management-plane access to your environment. For each one, ask the question the IAB market is already asking on your behalf: if this vendor is compromised, how many environments does that foothold resell into, and is mine one of them? If you are a vendor like Mercor, the answer is the entire reason you are a target. If you are a customer, the answer is your blast radius whether you measured it or not.
The Handoff (When a Supply Chain Attack Has Two Owners)
TeamPCP broke into LiteLLM. Lapsus$ walked out of Mercor with 4 TB. Two different threat actors, and the gap between them is the most interesting thing in the Q1 2026 cyber wave.
Here is the chain. In late March 2026, TeamPCP planted credential-harvesting malware inside LiteLLM, an open source library developers use to connect applications to AI services. Millions of downloads per day. The code ran for hours before anyone caught it. The harvested credentials propagated into Mercor, a USD$10 billion AI training-data startup whose customers include OpenAI, Anthropic, and Meta. Then Lapsus$, not TeamPCP, claimed the Mercor breach and published the haul: contractor PII, API keys, Slack dumps, and videos of Mercor's AI systems talking to the humans training them.
One actor compromised the library. A different actor exfiltrated the data. The credential that crossed between them is the whole story.
Why the Handoff Breaks the Model
My nth-order attack taxonomy (Bilar 2009, NATO CCDCOE) classifies attacks by the number of trust-boundary transits between attacker entry and target asset. It assumes one actor traversing the chain end to end. The Mercor chain has two, and that fact changes how the attack has to be read.
| Hop | Entity | Trust exploited |
|---|---|---|
| 0 | OpenAI, Anthropic, Meta training pipelines | Target asset |
| 1 | Mercor production environment (4 TB exfiltrated) | AI labs trust Mercor as data middleware |
| 2 | LiteLLM package | Mercor trusts LiteLLM as a dependency |
| 3 | LiteLLM distribution channel (PyPI/npm) | Developers trust the registry to serve clean packages |
| 4 | TeamPCP's publishing credential | Registry trusts the credential |
Four trust boundaries between entry and target. No zero-days burned. Every hop used a designed trust relationship running exactly as built. SolarWinds (2020) was 2nd-order. XZ Utils (2024) was 3rd. Mercor is 4th, and to my knowledge the first 4th-order incident with named parties at every hop and two distinct actors running it.
The two-actor structure is not new in the abstract. ENISA already defines a supply chain attack as the combination of at least two attacks, one on a supplier and a later one on the intended target. The 3CX compromise in 2023 was the first confirmed double supply chain attack, where one intrusion into Trading Technologies became the launch point for the intrusion into 3CX. What Mercor adds is the actor boundary running straight through the middle of the chain. The upstream compromise and the downstream exploitation were not two phases of one operation. They were two operations, run by two crews, joined at a stolen credential.
Access-as-a-Service
Ransomware already went through this exact evolution, and the parallel is precise enough to be useful.
Around 2019, the ransomware economy split into specialists. Initial Access Brokers (IABs) broke into networks through phished credentials, exposed RDP, or vulnerable edge devices, then sold that foothold on a marketplace. Ransomware affiliates bought the foothold and deployed the payload. The two parties never had to meet, share tools, or know each other's real identity. One crew got good at getting in. Another got good at cashing out. Access became a commodity with a price list set by target revenue, industry, and depth of the foothold.
The Mercor chain is that same division of labor, moved up the stack from enterprise networks to the software supply chain. TeamPCP specializes in upstream package compromise. They hit LiteLLM. They ran the Mini Shai-Hulud npm worm I wrote about earlier, which I classified as a 2nd-order attack at the time. Lapsus$ specializes in downstream exfiltration and extortion. Each crew operated at the hops where its tradecraft is strongest. The supply chain compromise stopped being a single operation and became a pipeline with its own suppliers.
This is not a one-off. ZeroFox's 2026 IAB forecast names the pattern: the access market is maturing toward higher-value targets, and brokers increasingly go after entities that already hold access to many downstream environments, third-party vendors and upstream suppliers, because one intrusion there resells into dozens or hundreds of victim networks. A data-middleware vendor sitting inside three frontier AI labs is the highest-value version of that target. Mercor is that forecast with a name on it.
The Defender's Real Problem
Split ownership of a chain is harder to defend than a single-actor chain, for a reason that has nothing to do with how sophisticated either actor is.
Detection and attribution break across two separate actor profiles. Different indicators. Different infrastructure. Different timelines. The team hunting the LiteLLM compromise sees credential-harvesting malware in a Python package and a TeamPCP signature. The team investigating the Mercor breach sees Lapsus$ extortion tradecraft on the exfiltration side. Both teams are correct. Neither sees the whole attack, because the whole attack is the credential that crossed from one operation into the other, and that credential does not show up as malicious in either half. It was harvested cleanly at Hop 3 and presented as valid at Hop 1.
If your threat model assumes a single actor traversing your supply chain end to end, you will find the entry or you will find the exit. You will not find the handoff. The handoff is not an event in your logs. It is a transaction in someone else's marketplace, and it happens between the two halves of the attack you can see.
The SLH alliance (ShinyHunters plus Scattered Spider plus LAPSUS$) is the organizational form this produces once the market matures. Three crews, each with a specialty, social engineering, exfiltration, identity compromise, merged into one pipeline. Whether the Mercor chain ran through that formal alliance or through an arms-length credential sale does not change the structure. Upstream access feeds downstream exploitation, and the actors at each hop are optimized for their own segment.
Model the Chain as a Market
Stop modeling supply chain attacks as one adversary moving through your dependencies. Model them as a market, see eg 2017-2019 Massacci-Allodi Corpus (Trento/WEIS/CCS). Your dependency chain is an inventory of footholds that different actors value differently, and the actor who breaks in is probably not the actor who will hurt you.
Count your hops. Map every vendor that holds credentials, tokens, or management-plane access to your environment. For each one, ask the question the IAB market is already asking on your behalf: if this vendor is compromised, how many environments does that foothold resell into, and is mine one of them? If you are a vendor like Mercor, the answer is the entire reason you are a target. If you are a customer, the answer is your blast radius whether you measured it or not.
TeamPCP got in. Lapsus$ got paid. The credential crossed cleanly between them. All as designed.