On March 24, 2026, Mercor AI was reportedly affected by a breach linked to the hacking group Lapsus$. The incident is believed to have originated from a supply chain attack involving a compromised LiteLLM package, which may have been inadvertently pulled by one of Mercor’s AI agents.

Through this vector, attackers allegedly gained access to internal systems, including Tailscale VPN credentials, and exfiltrated approximately 4TB of data. The leaked data reportedly included 211GB of candidate records, 939GB of source code, and around 3TB of video interviews and identity documents.

In a public statement on X (formerly Twitter), Mercor said that it had identified itself as one of many companies impacted by the LiteLLM supply chain attack. The company added that its security team acted quickly to contain the breach and begin remediation efforts. Possible attack chain pathway linked.

Cisco reportedly suffered a breach of its internal development environment after attackers leveraged credentials stolen during the recent Trivy supply-chain compromise. More details linked with sample data

Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.

Rules & Guidelines

• Always maintain civil discourse. Be awesome to one another - moderator intervention will occur if necessary.
• Avoid NSFW content unless absolutely necessary. If used, mark it as being NSFW. If left unmarked, the comment will be removed entirely.
• If linking to classified content, mark it as such. If left unmarked, the comment will be removed entirely.
• Avoid use of memes. If you have something to say, say it with real words.
• All discussions and questions should directly relate to netsec.
• No tech support is to be requested or provided on r/netsec.

As always, the content & discussion guidelines should also be observed on r/netsec.

Feedback

Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.

It’s crazy how things come full circle more than a decade later.

About a decade ago, I got interested in calendar phishing after seeing Beau Bullock’s work at BHIS. Around that time, I built and shared some of my own Graph API scripts for calendar phishing, added support for it in my open source PhishAPI tool, and even introduced the idea to KnowBe4 so they could eventually bring it into phishing training for clients (which Kevin Mitnick himself used Beau's command-line tool to demonstrate).

I brought it to their attention at a client’s request after using the technique successfully on them, during a time when calendar phishing was still largely overlooked as a real-world attack path.

Back then, it was still niche enough that plenty of defenders were not thinking about calendar invites as a phishing channel at all.

More than a decade later, I’m still refining the concept, now as part of the commercial PhishU Framework.

I’m happy to say the Framework fully supports Calendar Event phishing again, but now in a much more usable way:

· Native calendar event workflow
· Simple WYSIWYG w/ AI-generated timing suggestions and content
· As easy as selecting the Calendar Event template
· Automatically tied into training when used in a campaign

It’s built for red teams and security teams that want realistic phishing assessments, including credential and session capture paths, not just allow-list-only email testing.