Mercor Confirms Security Incident Linked to Supply Chain Attack

Mercor, a prominent AI recruiting startup, has verified a security breach associated with a supply chain attack involving the open-source project LiteLLM.

The AI company informed TechCrunch that it was among the numerous organizations impacted by a recent compromise of LiteLLM’s project, which was tied to a hacking group known as TeamPCP. This confirmation comes as the extortion hacking group Lapsus$ claimed to have targeted Mercor and gained access to its data.

The specific method through which the Lapsus$ group obtained the stolen data from Mercor as part of TeamPCP’s cyberattack remains unclear.

Established in 2023, Mercor collaborates with companies like OpenAI and Anthropic to train AI models by enlisting specialized domain experts from markets such as India. The startup facilitates over $2 million in daily payouts and received a valuation of $10 billion post a $350 million Series C round led by Felicis Ventures in October 2025.

Heidi Hagberg, a spokesperson for Mercor, confirmed that the company promptly took action to contain and address the security incident.

Hagberg stated, “We are currently conducting a comprehensive investigation with the support of leading third-party forensics experts. We will maintain direct communication with our customers and contractors and allocate necessary resources to resolve the issue swiftly.”

Earlier, Lapsus$ took credit for the alleged data breach on its leak site and shared a data sample supposedly taken from Mercor, containing references to Slack data, ticketing information, and videos of interactions between Mercor’s AI systems and contractors.

Hagberg declined to respond to further inquiries regarding the connection to Lapsus$’ claims or whether any customer or contractor data had been compromised, accessed, or misused.

The LiteLLM compromise came to light after malicious code was detected in a package related to the Y Combinator-backed startup’s open-source project. Despite swift removal of the code, the incident raised concerns due to LiteLLM’s extensive usage on the internet, with millions of daily downloads, according to security firm Snyk. This event prompted LiteLLM to improve its compliance procedures by transitioning from Delve to Vanta for certification.

The extent of companies affected by the LiteLLM incident and the possibility of data exposure remain uncertain as investigations progress.