Mercor Confirms Cyberattack Linked to LiteLLM Open-Source Project Breach
Mercor, a prominent AI recruiting startup, has recently disclosed a security breach connected to a supply chain attack on the open-source project LiteLLM. The company revealed that it is among thousands of organizations impacted by this compromise, which has been attributed to the hacking group TeamPCP. This announcement coincides with claims from the extortionist group Lapsus$, asserting they have accessed Mercor’s data.
The exact method by which Lapsus$ obtained Mercor’s data remains unclear. However, the breach underscores the vulnerabilities inherent in relying on open-source software, especially when such projects become targets for cybercriminals.
Established in 2023, Mercor collaborates with leading AI companies like OpenAI and Anthropic, providing them with specialized domain experts—including scientists, doctors, and lawyers—to train AI models. The startup boasts daily payouts exceeding $2 million and achieved a valuation of $10 billion following a $350 million Series C funding round led by Felicis Ventures in October 2025.
In response to the incident, Mercor’s spokesperson, Heidi Hagberg, stated that the company acted swiftly to contain and address the security breach. We are conducting a thorough investigation supported by leading third-party forensics experts, Hagberg said. We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.
Lapsus$ has claimed responsibility for the data breach on its leak site, sharing samples of data allegedly taken from Mercor. These samples include references to Slack data, ticketing information, and videos purportedly showing interactions between Mercor’s AI systems and contractors on its platform.
The LiteLLM compromise came to light last week when malicious code was discovered in a package associated with the Y Combinator-backed startup’s open-source project. Although the malicious code was identified and removed within hours, the incident has raised concerns due to LiteLLM’s widespread use, with the library being downloaded millions of times daily, according to security firm Snyk.
This event highlights the critical importance of robust security measures and vigilant monitoring when integrating open-source components into organizational infrastructures. Companies must ensure that their supply chains are secure and that they have protocols in place to respond swiftly to potential threats.
