OrganisationUS

BerriAI

The commercial parent company of LiteLLM, an open-source LLM proxy; named as a victim in UNC6780's 2026 AI-infrastructure intrusion campaign.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

BerriAI's AWS environment was in UNC6780's scope; which enterprise customers need to rotate API keys?

Timeline for BerriAI

#48 May

LiteLLM SQL injection hits in 36 hours

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is BerriAI and was customer data compromised?: BerriAI is the commercial company behind the LiteLLM open-source AI proxy. GTIG named it as a victim of UNC6780's May 2026 intrusion via SANDCLOCK-stolen AWS credentials. The scope of customer data accessed inside BerriAI's commercial infrastructure has not been publicly confirmed.Source: GTIG
Is BerriAI the same as LiteLLM?: BerriAI is the commercial company that owns and publishes LiteLLM, an open-source LLM proxy library. BerriAI sells managed and hosted versions of LiteLLM to enterprises. Both were named as victims in UNC6780's May 2026 intrusion, though the open-source library and the commercial hosting environment represent distinct breach surfaces.Source: GTIG

Background

BerriAI is the US-based commercial company that owns and develops the LiteLLM open-source LLM proxy library, selling managed and hosted versions of the product to enterprise customers. In May 2026 Google's Threat Intelligence Group named BerriAI as a victim alongside the open-source LiteLLM library in UNC6780's intrusion campaign. UNC6780 used SANDCLOCK-stolen AWS keys and GitHub tokens to access BerriAI's commercial infrastructure beyond the open-source codebase, with the full scope of data accessed inside BerriAI's AWS environment not confirmed as of the GTIG report.

BerriAI's commercial position places it in the emerging LLM-gateway vendor category, competing with Cloudflare AI Gateway and enterprise AI management platforms from established cloud providers. The GTIG report's mention of BerriAI as a victim widens the impact of the LiteLLM CVE-2026-42208 intrusion from an open-source library breach to a commercial vendor compromise with potential access to customer usage data, API keys, and integration configurations stored in BerriAI's managed service.

For enterprise customers running LiteLLM through BerriAI's commercial hosting, the question GTIG's report raises but does not answer is whether SANDCLOCK-harvested AWS credentials gave UNC6780 access to customer API keys, model routing configurations, or query logs stored in BerriAI's cloud environment. BerriAI had not issued a public breach disclosure or scope assessment at the time of the GTIG publication.

Source Material

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access

How the World Sees Them

United States

BerriAI is a US-registered entity; CISA's KEV addition for LiteLLM CVE-2026-42208 creates federal pressure on BerriAI to patch and disclose scope.

Enterprise security

BerriAI customers should treat LLM API keys, routing configurations, and usage logs stored in the BerriAI managed service as potentially compromised pending a vendor scope assessment.