Mercor reports cyberattack linked to compromised LiteLLM open-source project

AI recruiting startup Mercor has confirmed it was affected by a cybersecurity incident linked to a broader supply chain attack involving the open-source project LiteLLM.

The company said on Tuesday that it was “one of thousands of companies” affected by the compromise of LiteLLM, which has been linked to the hacking group TeamPCP. The confirmation follows claims by the extortion-focused hacking group Lapsus$, which stated that it had targeted Mercor and gained access to internal data.

At this stage, it remains unclear how Lapsus$ may have obtained the data allegedly taken from Mercor in connection with the TeamPCP-linked attack.

Founded in 2023, Mercor provides AI recruiting services and collaborates with companies such as OpenAI and Anthropic to support the training of AI systems. The platform connects organisations with specialised professionals, including scientists, doctors, and legal experts, often sourced from markets such as India. According to the company, it facilitates more than $2 million in daily payouts. Mercor was valued at $10 billion following a $350 million Series C funding round led by Felicis Ventures in October 2025.

A company spokesperson, Heidi Hagberg, stated that Mercor acted quickly to contain and respond to the incident.

“We moved promptly to contain and remediate the issue,” Hagberg said. “We are conducting a thorough investigation supported by leading third-party forensics experts. We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”

Earlier, Lapsus$ published claims on its leak site, asserting responsibility for the breach and shared a sample of what it said was data obtained from Mercor. The sample appeared to include references to Slack-related data, ticketing system information, and two videos that allegedly showed interactions between Mercor’s AI systems and contractors using the platform.

The LiteLLM compromise first came to light last week when malicious code was discovered within a package associated with the Y Combinator-backed project. Although the malicious code was identified and removed within hours, the incident raised concerns due to the widespread adoption of LiteLLM. According to security firm Snyk, the library is downloaded millions of times each day.

In response to the incident, LiteLLM has updated parts of its compliance framework, including transitioning from startup Delve to Vanta for certification processes.

It is still unknown how many organisations were affected by the LiteLLM-related breach or whether any sensitive data was exposed, as investigations by the companies and security experts involved are ongoing.