Mercor, a prominent AI recruiting startup, has officially confirmed a security incident stemming from a supply chain attack that impacted the open-source project LiteLLM.
The AI startup informed TechCrunch on Tuesday that it was among "thousands of companies" affected by a recent compromise of LiteLLM’s project, an event linked to a hacking collective known as TeamPCP. This confirmation coincides with claims made by the extortion hacking group Lapsus$, which asserted it had targeted Mercor and successfully gained access to its data.
The exact method by which the Lapsus$ gang obtained Mercor's stolen data, particularly in connection with TeamPCP’s cyberattack, is not immediately clear.
Established in 2023, Mercor collaborates with major entities like OpenAI and Anthropic, facilitating the training of AI models by contracting specialized domain experts, including scientists, doctors, and lawyers, from various global markets such as India. The startup reports processing over $2 million in daily payouts and achieved a valuation of $10 billion following a $350 million Series C funding round led by Felicis Ventures in October 2025.
Heidi Hagberg, a spokesperson for Mercor, assured TechCrunch that the company "moved promptly" to contain and mitigate the security breach.
“We are conducting a thorough investigation supported by leading third-party forensics experts,” Hagberg stated. She added, “We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”
Previously, Lapsus$ had claimed responsibility for the apparent data breach on its leak site, where it shared a sample of data purportedly exfiltrated from Mercor. TechCrunch reviewed this sample, which contained material referencing Slack data, what appeared to be ticketing data, and two videos allegedly depicting conversations between Mercor’s AI systems and contractors on its platform.
Hagberg declined to respond to further inquiries regarding whether the incident was connected to Lapsus$’s claims, or if any customer or contractor data had been accessed, exfiltrated, or misused.
The compromise of LiteLLM initially came to light last week after malicious code was discovered within a package associated with the Y Combinator-backed startup’s open-source project. Although the malicious code was identified and removed within hours, the incident garnered significant attention due to LiteLLM’s extensive use across the internet, with the library downloaded millions of times daily, according to security firm Snyk. This incident also prompted LiteLLM to revise its compliance processes, notably transitioning from the contentious startup Delve to Vanta for its compliance certifications.
As investigations proceed, it remains uncertain how many companies were impacted by the LiteLLM-related incident or whether any data exposure ultimately occurred.
The Editorial Staff at AIChief is a team of professional content writers with extensive experience in AI and marketing. Founded in 2025, AIChief has quickly grown into the largest free AI resource hub in the industry.