Mercor, an AI recruiting startup, recently confirmed a significant cyberattack linked to the open-source project LiteLLM. The incident involved a supply chain attack attributed to the hacking group TeamPCP. This disclosure was made to TechCrunch on a Tuesday, with Mercor stating they are among numerous companies impacted by the LiteLLM compromise.
Details of the Security Incident
The hacking collective Lapsus$ has also claimed responsibility for targeting Mercor and accessing its data. However, the precise methods used by Lapsus$ to acquire this information remain unclear. Mercor, founded in 2023, collaborates with industry giants such as OpenAI and Anthropic. The startup specializes in training AI models through contracted experts, including scientists, doctors, and lawyers, primarily from India.
Financial Overview
- Daily payouts exceed $2 million.
- Valued at $10 billion after a $350 million Series C funding led by Felicis Ventures in October 2025.
Heidi Hagberg, a spokesperson for Mercor, confirmed the company’s rapid response to contain the security breach. “We are conducting a thorough investigation supported by leading third-party forensics experts,” she stated. Continuous communication with customers and contractors is a priority as the situation unfolds.
Response to the Breach
Lapsus$ claimed responsibility for the data breach, publishing a sample of the stolen data on their leak site. This sample reportedly included references to Slack data and ticketing information, along with videos allegedly capturing interactions between Mercor’s AI systems and their contractors.
Investigation into LiteLLM Compromise
The LiteLLM security issue became apparent after malicious code was detected in one of its associated packages. Although this code was removed swiftly, the incident raised alarm due to LiteLLM’s broad usage, with millions of downloads daily, according to security experts at Snyk. In light of the attack, LiteLLM has decided to switch from the controversial startup Delve to Vanta for compliance certification processes.
Ongoing Investigations
The full extent of the data exposure from the LiteLLM-related attacks is still under investigation. It remains uncertain how many companies were affected or if any customer data has been exfiltrated or misused. The situation continues to develop as Mercor and associated stakeholders delve deeper into this severe breach.
