What caused the Mercor security incident?

The incident was caused by a supply chain attack involving the compromise of the open-source project LiteLLM, where malicious code was injected into a package.

Which threat actors are involved in the Mercor breach?

The hacking group TeamPCP is linked to the initial LiteLLM compromise, while the Lapsus$ extortion group claims to have accessed and stolen data from Mercor.

What types of data were allegedly stolen from Mercor?

The compromised data reportedly includes internal Slack communications, ticketing data, and video recordings of conversations between AI systems and contractors.

How did Mercor respond to the cyberattack?

Mercor contained the incident, hired third-party forensics experts for an investigation, and began communicating directly with affected customers and contractors.

What are the security recommendations for preventing similar supply chain attacks?

Organizations should implement Software Bill of Materials (SBOM) tracking, use automated dependency scanning, and enforce strict egress filtering to detect and prevent malicious code execution in third-party libraries.

Incident

Mercor AI Startup Hit by Supply Chain Attack via LiteLLM Compromise

published: April 1, 2026

Learn More

Mercor, a San Francisco-based AI recruiting startup, reports a data breach from a supply chain attack targeting the open-source project LiteLLM.

The breach traces to late March 2026, when TeamPCP compromised the Trivy vulnerability scanner via a misconfigured GitHub Actions workflow, obtaining the PyPI publishing token for LiteLLM and uploaded two malicious versions to the public registr and adding malware designed to steal SSH keys, .env files, cloud provider credentials, cryptocurrency wallets, and AI API keys.

The Lapsus$ group has since claimed responsibility for a massive data theft from Mercor, listing 4TB of data for auction on the dark web.

The allegedly exposed data includes:

939GB of source code,
211GB user database containing resumes and personal data,
3TB of storage buckets (video interviews and identity verification documents),
TailScale VPN data,
KYC (Know Your Customer) documents.

The exact number of affected individuals has not been disclosed. Mercor claims that it contained and remediated the security incident. They are now conducting an investigation with the support of leading third-party forensic experts.

Other details are not available.

Mercor AI Startup Hit by Supply Chain Attack via LiteLLM Compromise

Read More
CrowdStrike fires employee being caught sharing screenshots with …
Tenable reports being affected by the Salesloft Drift …
Australian company Iress reports unauthorized access to their …
Indian bike-taxi aggregato Rapido leaks user, driver data
FlightAware reports leaking user data for years because …