Mercor Confirms Security Breach Linked to LiteLLM Incident
Mercor, a notable startup in the AI recruiting sector, has recently acknowledged a security breach due to a supply chain attack on the popular open-source project, LiteLLM.
Details of the Incident
In a statement to TechCrunch on Tuesday, a representative from Mercor explained that the company was “one of thousands of companies” impacted by the compromise of the LiteLLM project, a situation traced back to a hacking group known as TeamPCP. Interestingly, the incident follows claims from the extortion hacking group Lapsus$, who stated they had breached Mercor and accessed sensitive data.
As of now, the exact mechanisms through which Lapsus$ procured the stolen data from Mercor remain unclear, particularly how it pertains to TeamPCP’s cyberattack.
About Mercor
Founded in 2023, Mercor collaborates with leading organizations such as OpenAI and Anthropic to refine AI models. They achieve this by enlisting specialized domain experts, including scientists, doctors, and lawyers, particularly from markets like India. The startup reportedly facilitates over $2 million in daily payouts and was valued at a staggering $10 billion following a $350 million Series C investment led by Felicis Ventures in October 2025.
Company Response and Investigation
Heidi Hagberg, a spokesperson for Mercor, confirmed to TechCrunch that the company took immediate action to contain and address the security issue. “We are conducting a thorough investigation supported by leading third-party forensics experts,” she stated. “We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”
Earlier, Lapsus$ took responsibility for the data breach, posting a sample of the allegedly stolen information on their leak site. TechCrunch has reviewed this sample, which included data related to Slack communications and ticketing, alongside two videos appearing to show interactions between Mercor’s AI systems and its contractors.
Investigation into LiteLLM
The LiteLLM compromise became public last week after malicious code was found within a package linked to the Y Combinator-backed project. Although the harmful code was identified and removed within hours, the event has captured significant attention due to the extensive use of LiteLLM, which boasts millions of downloads each day, as reported by security firm Snyk. Following the incident, LiteLLM announced they would adjust their compliance practices, transitioning from the controversial startup Delve to Vanta for compliance certifications.
As investigations continue, it remains uncertain how many companies have been affected by the LiteLLM-related issue or whether any data exposure has taken place.
For additional context, more details on this situation can be found here.
Image Credit: techcrunch.com
