Mercor confirms it was hit by LiteLLM supply chain attack as Lapsus$ claims 4TB data theft

Mercor says it was hit by cyberattack tied to compromise of open-source LiteLLM project | TechCrunch

Mercor, a popular AI recruiting startup, has confirmed a security incident linked to a supply chain attack involving the open-source project LiteLLM. The AI startup told TechCrunch on Tuesday that it was "one of thousands of companies" affected by a recent compromise of LiteLLM's project, which was linked to a hacking group called TeamPCP. Confirmation of the incident comes as extortion hacking group Lapsus$ claimed it had targeted Mercor and gained access to its data. It's not immediately clear how the Lapsus$ gang obtained the stolen data from Mercor as part of TeamPCP's cyberattack. Founded in 2023, Mercor works with companies including OpenAI and Anthropic to train AI models by contracting specialized domain experts such as scientists, doctors, and lawyers from markets including India. The startup says it facilitates more than $2 million in daily payouts and was valued at $10 billion following a $350 million Series C round led by Felicis Ventures in October 2025. Mercor spokesperson Heidi Hagberg confirmed to TechCrunch that the company had "moved promptly" to contain and remediate the security incident. "We are conducting a thorough investigation supported by leading third-party forensics experts," said Hagberg. "We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible." Earlier, Lapsus$ claimed responsibility for the apparent data breach on its leak site and shared a sample of data allegedly taken from Mercor, which TechCrunch reviewed. The sample included material referencing Slack data and what appeared to be ticketing data, as well as two videos purportedly showing conversations between Mercor's AI systems and contractors on its platform. Hagberg declined to answer follow-up questions on whether the incident was connected to claims by Lapsus$, or whether any customer or contractor data had been accessed, exfiltrated, or misused. The compromise of LiteLLM originally surfaced last week after malicious code was discovered in a package associated with the Y Combinator-backed startup's open-source project. While the malicious code was identified and removed within hours, the incident drew scrutiny due to LiteLLM's widespread use around the internet, with the library downloaded millions of times per day, per security firm Snyk. The incident also prompted LiteLLM to make changes to its compliance processes, including shifting from controversial startup Delve to Vanta for compliance certifications. It remains unclear how many companies were affected by the LiteLLM-related incident or whether any data exposure occurred, as investigations continue.

Mercor says it was 'one of thousands' hit in LiteLLM attack

AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread. "We recently identified that we were one of thousands of companies impacted by a supply chain attack involving LiteLLM," Mercor said on social media in a Tuesday post. "Our security team moved promptly to contain and remediate the incident," the statement continued, adding that it's conducting a "thorough investigation" with the help of third-party forensics experts, and will "devote the resources necessary to resolving the matter as soon as possible." The company's admission follows claims by extortion crew Lapsus$, later shared on social media by researcher Dominic Alvieri, that it stole 4 TB, including 939 GB of Mercor source code, plus other data, from the AI recruiting firm, and offered to sell the purloined files to the highest bidder. While Mercor's statement didn't say how Lapsus$ gained access to its company data following the LiteLLM compromise, last week Wiz security researchers told The Register that "high-profile extortion groups like Lapsus$" were now working with the TeamPCP, the crew believed to be responsible for the Trivy, LiteLLM, and other popular open source project supply chain attacks. Mercor did not immediately respond to our inquiries. Following a report that TeamPCP also breached Cisco's internal development environment and stole source code from credentials swiped via the Trivy attack, Cisco told The Register that it is "aware of the Trivy supply-chain issue that is affecting the industry." "We promptly launched an assessment and based on our investigation to date, we have not seen any evidence of impact on our customers, products, or services," a spokesperson told us. "We continue to investigate and closely monitor this situation and will follow our well-established procedures for addressing these types of issues and communicating with our customers as appropriate." Cisco twice declined to answer this question: Were any of Cisco's systems accessed by the attackers? TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security in late February, and, a month later, injected credential-stealing malware into the scanner. Later in March, the same crew injected the same malware into open source static analysis tool KICS maintained by Checkmarx, and also published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI). After all of these attacks, Google-owned cloud security shop Wiz said its researchers "saw indications in Cloud, Code, and Runtime evidence that the credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data." So while Mercor is the first downstream company to publicly confirm it was a victim of the compromises, it won't be the last. Threat hunters at vx-underground estimate the data thieves have exfiltrated data and secrets from 500,000 machines, and last week at RSA Conference, Mandiant Consulting CTO Charles Carmakal told reporters that the Google-owned incident response biz knew of "over 1,000 impacted SaaS environments" that were "actively" dealing with the cascading effect of the TeamPCP supply chain attacks. "That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000," Carmakal said. "And we know that these actors are collaborating with a number of other actors right now."