AI Recruiting Startup Mercor Confirms Security Incident Linked to LiteLLM Supply Chain Attack

Mercor, a prominent AI recruiting startup valued at $10 billion, has confirmed it was impacted by a cybersecurity incident connected to a recent supply chain attack on the open-source project LiteLLM. The company stated it was "one of thousands of companies" affected by the compromise, which has been linked to a hacking group called TeamPCP.

The confirmation comes as the notorious extortion gang Lapsus$ claimed responsibility for targeting Mercor and gaining access to its data. It remains unclear how Lapsus$ obtained the stolen data as part of TeamPCP's broader cyberattack on LiteLLM.

Startup Responds to Breach Claims

Mercor spokesperson Heidi Hagberg told TechCrunch the company had "moved promptly" to contain and remediate the security incident. "We are conducting a thorough investigation supported by leading third-party forensics experts," said Hagberg. The spokesperson declined to answer follow-up questions on whether the incident was connected to Lapsus$'s claims or if any customer or contractor data was accessed.

Founded in 2023, Mercor works with leading AI firms like OpenAI and Anthropic to train AI models by contracting specialised domain experts, including scientists, doctors, and lawyers, from markets such as India. The startup facilitates more than $2 million in daily payouts and secured a $350 million Series C funding round led by Felicis Ventures in October 2025.

Lapsus$ Shares Alleged Data Sample

Prior to Mercor's statement, Lapsus$ claimed responsibility for the apparent breach on its leak site, sharing a sample of data allegedly taken from the startup. TechCrunch's review of the sample found material referencing Slack data, apparent ticketing information, and two videos purportedly showing conversations between Mercor's AI systems and contractors on its platform.

The malicious code in the LiteLLM package was discovered and removed last week within hours. However, the incident drew significant scrutiny due to LiteLLM's widespread adoption; security firm Snyk notes the library is downloaded millions of times per day. In response, LiteLLM has altered its compliance processes, shifting from Delve to Vanta for certifications.

Ongoing Investigations and Industry Impact

The full scale of the LiteLLM-related incident remains unknown, with investigations continuing to determine how many companies were affected and whether any data exposure occurred. The event highlights the growing risks associated with supply chain attacks targeting critical open-source software infrastructure widely used across the tech industry.

Mercor has committed to continuing communication with its customers and contractors and devoting necessary resources to resolve the matter. The startup's response and the ongoing forensic investigation will be closely watched as a case study in handling sophisticated cyber threats linked to third-party dependencies.