Mercor, an AI recruiting startup, confirmed a security incident linked to a supply chain attack involving LiteLLM. The startup informed TechCrunch that it was one of many affected by LiteLLM’s compromise, associated with hacking group TeamPCP. The incident was confirmed as extortion group Lapsus$ claimed they accessed Mercor’s data.
The method by which Lapsus$ acquired Mercor’s data remains unclear. Founded in 2023, Mercor collaborates with companies like OpenAI and Anthropic, contracting experts from diverse fields. The startup enables over $2 million in daily payouts and reached a $10 billion valuation after a $350 million Series C led by Felicis Ventures in 2025.
Mercor spokesperson Heidi Hagberg stated the company acted promptly to manage the situation. “We are conducting a thorough investigation with third-party forensic experts. We’ll keep communicating with customers and contractors and use all necessary resources to resolve the issue quickly,” said Hagberg.
Previously, Lapsus$ claimed the breach on their leak site, sharing a data sample allegedly from Mercor, which TechCrunch reviewed. This included Slack data, ticketing data, and videos of interactions between Mercor’s AI and contractors.
Hagberg did not comment further on connections to Lapsus$ claims or on any accessed, exfiltrated, or misused data.
The LiteLLM compromise emerged last week when malware was found in an open-source package. While it was rapidly removed, it raised concerns due to LiteLLM’s extensive usage, with daily downloads in the millions. The incident led LiteLLM to shift its compliance processes, replacing Delve with Vanta for certifications.
The number of companies affected or the extent of data exposure due to the LiteLLM incident remains unclear as investigations continue.