😱 4-TB Heist in 3 Hours: Mercor AI Supply-Chain Pillaged via Poisoned LiteLLM

TL;DR

• Mercor AI Breached via Poisoned Python Package, Exposing 211GB of Candidate Data
• NoVice malware infects 2.3M Android devices via 50+ Google Play apps, persists after factory reset via kernel and Mali GPU exploits
• HasBro Discloses Cybersecurity Incident, SEC Files 8-K Amid Ongoing Forensic Investigation

😱 4-TB Heist in 3 Hours: Mercor AI Supply-Chain Pillaged via Poisoned LiteLLM

4 TB gutted in 3 h—like cramming the Library of Congress through a drinking straw 😱 Mercor’s CI just pip-installed its own obituary. Your resumé & face-vid? Now Lapsus$ binge-watch material. Still trusting “latest” tags, SF? — how’s that $10 B pillow taste?

Welcome to the PyPI slaughterhouse, where your résumé, passport scan, and that awkward 3-TB video of you explaining “your biggest weakness” just became free torrent fodder. Mercor AI, the SF-based hiring-bot darling, got drop-kicked by a poisoned LiteLLM package so small it could fit on a floppy—if anyone still remembered what those were.

How the sausage got poisoned

• 12 Mar: Trivy’s CI repo left the door open with a pull_request_target token that might as well have been a neon “FREE BEER” sign.
• 19 Mar: Token used to yoink PyPI publishing rights for LiteLLM—no MFA, no signature, no problem.
• 24 Mar 10:39 UTC: Malicious versions 1.82.7 & 1.83.8 land on PyPI.
• 10:45 UTC: Mercor’s CI slurps them straight into prod—no hash check, no sandbox, no f***s given.
• 13:30 UTC: 200 Mbps exfil via Tailscale VPN to models.litellm.cloud; 4 TB later, Lapsus$ drops the mic.

Impact in bite-size blood splatters

Candidates: 211 GB of PII → GDPR/CCPA fines up to 4 % of global revenue → every applicant now phishing bait.
Ops: SSH/AWS keys stolen → 2 M USD daily payout pipeline one ssh-away from “sudo rm -rf /”.
Ecosystem: LiteLLM downloaded 3.4 M times/day → 2 337 downstream libs now wondering if they’re next.
Valuation: $10 B paper-unicorn looking at a 10–15 % haircut because “trust” isn’t in the VCs’ dictionary.

Institutional response—aka the usual fire drill

Mercor rotated every token in sight, slapped Sigstore signatures on future builds, and hired a forensics firm to bill 1 k USD/hour for saying “you got pwned.” PyPI promises mandatory 2FA—sometime before the heat death of the universe. FBI & CISA nod solemnly, then go back to their own unpatched Jenkins boxes.

Timeline of “lessons learned” (spoiler: nobody learns)

• Q2 2026: Mercor usage dips 20 %; legal war-chest burns 50 M USD.
• Q4 2026: PyPI 2FA still “rolling out”; 30 % YoY rise in CI/CD supply-chain carnage.
• 2027: Recruitment-tech sector down 15 %; class-action sharks circle; Sigstore becomes the new checkbox nobody audits.

Cheatsheet for the broke and the paranoid

1. Pin hashes, sign commits, rotate tokens monthly—cheap, boring, effective.
2. Kill pull_request_target with fire; run CI in throwaway containers.
3. Segment VPN egress; if it can’t phone home, it can’t leak 3 TB of your cringe interview.
4. Budget 0 USD: TruffleHog, Cosign, open-source SBOM tools—still better than a 80 M USD “incident response.”

Bottom line

Mercor’s meltdown isn’t a bug; it’s the feature of an industry that outsources security to Markdown “best-practice” docs. Until the next 34-KB gift wraps your data, keep your hashes tight, your tokens tighter, and maybe—just maybe—don’t film your passport next to your face.

😱 2.5M Midwest Androids Hijacked: Rootkit Survives Factory Reset

2.5 M phones gutted by 22 crusty exploits & a factory reset WON’T kill it 😱 That’s every adult in Kansas wiretapped forever. WhatsApp/Signal jacked, reboot-loop booby-trapped—only a full firmware reflash pays the ransom. Own an old budget Android? Congrats, you’re the product — time to torch it or flash it?

McAfee’s Easter “surprise”: 50 cute Play Store trinkets—cleaners, candy-crush clones, gallery apps—shipped with a stowaway rootkit that hijacks 2016-21 kernel/Mali GPU bugs, ramrods itself into read-only system partitions, and auto-resurrects every 60 seconds.
Result: 2.3 million cheap Androids are now Eternal Wiretaps™ that survive wipes, boot loops, and your naïve hope that “off-brand phone” equals “low-risk phone.”

How it burrows

• 22 exploits (16 kernel + GPU use-after-free chain) → disables SELinux → swaps core runtime libs → drops “Omega” daemon → overwrites crash handler so a reset just re-invites the parasite.
• Fallback images live on /system—OEM-signed, untouchable without a full firmware re-flash.
• C2 pings once a minute, slurping WhatsApp tokens, Signal keys, contacts, even your dusty Google Drive backups.

Impacts—parallel pain edition
Privacy: full chat DB cloned → blackmail buffet, corporate leaks, drunk-text archaeology.
Wallet: only fix is a PC-grade reflash → casual users pay repair shops ≈$60–100 or buy a new burner.
Stability: reset triggers reboot loops; bricked phones pile up in Midwest drawers next to AOL CDs.
Trust: Google Play looked the other way for two years; devs banned after headlines, not before.

Response & gaps
Google yanked the apps, sent “thoughts & prayers” security note. OEMs mumble “patch level 2021-06 or later,” ignoring that 40% of target regions never see an OTA. McAfee teases a free scrubber—sometime. Meanwhile, NoVice keeps dialing home.

Timeline of (maybe) caring

• Q2 2026: phishing wave masquerades as “NoVice remover” apps—infections rebound 15%.
• Q3 2026: Samsung/Xiaomi push mandatory integrity check for system libs; rootkit adoption capped at current 2.3 M.
• 2027: copycat kits pivot to newer Adreno/Radeon zero-days; problem migrates to freshly patched flagships—budget users still screwed.

Bottom line
Your data is the product, your $120 phone is the joke, and factory reset is just the malware’s snooze button. Want privacy? Grab an open-source ROM, a cable, and the guts to void your warranty—because the Play Store won’t save you, and corporate PR sure as hell won’t either.

💥 $4.7B Hasbro Offline: 3.2 TB Logs, 12 Hosts Compromised, Orders Delayed 7 Days

$4.7B toy titan Hasbro just got pwned—3.2 TB of logs, 12 hosts 0wned, e-commerce still on ice 🧊💥 That’s 15-25 % slower Monopoly money while the hackers camp inside like it’s free parking. Gamers & toy hoarders—how long till your pre-order ships?

Hasbro woke up Monday with a hangover and a ransom note. By Friday the company’s still playing whack-a-mole inside its own network while telling the SEC, “Yeah, something’s borked, details later.” Cue 8-K filing, 5,000 workers on duct-taped laptops, and your pre-order for a $250 Optimus Prime stuck in cyber-limbo.

How the hell did a toy giant step on this rake?

• 27 Mar: logs burp anomalies
• 28 Mar: intruder waltzes through 12 hosts before anyone yanks the cable
• 30 Mar: e-commerce, ERP, design vaults—all dark—3.2 TB of logs now bedtime reading for forensics nerds
• 02 Apr: SEC gets the postcard (“Incident? Check. Data gone? Maybe. We’ll ping ya.”)
• Today: attackers still ghosting around like unpaid interns

Impact, translated for humans

Shipping: 7-day delays → your niece’s birthday morphs into tearful meltdown.
Money: breach averages $4.4 M; Hasbro just set aside $10 M for lawyer happy-hour.
Secrets: Monopoly money prints, Transformers CAD files, and every Planeswalker’s DCI number—floating in the void.
Fines: up to $1 M per state if they snail-mail breach letters; EU can slap on extra GDPR spice.

What’s the grown-up response?

• VLAN moats, MFA blitz, SharePoint patch for CVE-2026-21536—check, check, check
• Brand comms stuck in “mum” until forensics proves which data got mugged
• Budget bump 3-5 % for toys like EDR and a SOC that doesn’t sleep through alarms

Timeline of dread

• 0-2 weeks: 80 % of orders limp along; 10 % revenue dip if fix drags past fortnight
• Q2 2026: breach notices bulk-mail; regulators line up for their pound of plastic flesh
• Late-2026: if rebuild finishes, Hasbro’s cyber tab lands ~$15 M; stock shrugs if no customer data confirmed loose

Bottom line

A company that sells pretend wars just got a real one—inside its servers. Until the forensics fairy declares the network clean, every Magic booster, Transformer, and pink Monopoly house is a maybe-breached hostage. Kids still want their toys; hackers just want the receipts.

In Other News

• Naoris Protocol Launches Post-Quantum Mainnet, Processes 106M Transactions with Quantum-Resistant Crypto
• Gardyn Home Kit IoT Devices Exposed 138,000 User Records Due to Unauthenticated API Endpoints