Cyberattack Unfolds
Mercor, a prominent AI recruiting startup, has officially acknowledged a substantial security breach, attributing the incident to a supply chain attack
originating from the open-source project LiteLLM. The company disclosed that it was among thousands of entities affected by this compromise, which has been linked to the hacking collective known as TeamPCP. This confirmation emerges as the notorious extortion group Lapsus$ has claimed responsibility for targeting Mercor and purportedly accessing its sensitive data. The precise method by which Lapsus$ acquired the compromised data from Mercor, following TeamPCP's cyberattack, remains unclear at this juncture. Mercor, a company founded in 2023, collaborates with major AI players like OpenAI and Anthropic, facilitating the training of AI models by engaging specialized domain experts from diverse fields such as science, medicine, and law, particularly from markets like India. The startup handles over $2 million in daily payouts and achieved a valuation of $10 billion after securing a $350 million Series C funding round in October 2025, led by Felicis Ventures. A spokesperson for Mercor, Heidi Hagberg, confirmed to TechCrunch that the company acted swiftly to contain and address the security incident. She stated that a comprehensive investigation is being conducted, with support from leading third-party forensic experts, and that Mercor would continue to communicate with its customers and contractors appropriately, dedicating necessary resources to resolve the matter promptly.
Lapsus$ Claims & LiteLLM's Role
The extortion group Lapsus$ has asserted its involvement in the apparent data breach affecting Mercor, publicizing their claims on their leak site and presenting what they allege to be a sample of data pilfered from Mercor. This sample, reviewed by TechCrunch, contained references to Slack data, ticketing information, and two purported video recordings of conversations between Mercor's AI systems and contractors using its platform. Mercor's spokesperson, Heidi Hagberg, declined to elaborate on specific follow-up questions regarding a potential connection to Lapsus$' claims or whether any customer or contractor data was accessed, exfiltrated, or misused. The compromise within LiteLLM initially came to light the previous week when malicious code was detected within a package associated with the Y Combinator-backed startup's open-source project. Although the malicious code was identified and purged within a few hours, the incident garnered significant attention due to LiteLLM's extensive usage across the internet, with the library reportedly downloaded millions of times daily, according to security firm Snyk. This event prompted LiteLLM to revise its compliance procedures, including a transition from the controversial startup Delve to Vanta for its compliance certifications. It is still undetermined how many organizations were impacted by the LiteLLM-related incident or if any data exposure occurred, as the investigations continue to unfold.
