AI Recruiting Firm Mercor Confirms Security Breach Following Supply Chain Attack
AI recruiting company Mercor has acknowledged falling victim to a cybersecurity incident stemming from a supply chain compromise targeting the open-source LiteLLM platform. The breach has drawn attention as the notorious hacking collective Lapsus$ has claimed responsibility for accessing the company’s internal systems and data.
The startup disclosed on Tuesday that it was among numerous organizations impacted by the recent security compromise of LiteLLM, which investigators have traced back to a cybercriminal group known as TeamPCP. While Mercor confirmed its involvement in the broader incident, the exact mechanism by which Lapsus$ obtained access to the company’s sensitive information remains unclear.
Established in 2023, Mercor operates as an intermediary connecting major technology firms like OpenAI and Anthropic with specialized professionals including medical practitioners, legal experts, and scientists primarily from Indian markets for AI model development purposes. The platform processes over $2 million in daily transactions and achieved a remarkable $10 billion valuation after securing $350 million in Series C funding led by Felicis Ventures in October 2025.
Company representative Heidi Hagberg stated that Mercor took immediate action upon discovering the security breach. The organization has engaged external cybersecurity specialists to conduct a comprehensive forensic examination of the incident.
“We are conducting a thorough investigation supported by leading third-party forensics experts,” Hagberg explained. “We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”
The Lapsus$ group has publicly claimed credit for the data breach through their leak platform, sharing samples of allegedly stolen information. The leaked materials reportedly include internal Slack communications, support ticket records, and video recordings that appear to show interactions between Mercor’s artificial intelligence systems and platform users.
When pressed for additional details, Hagberg declined to confirm whether the incident was directly connected to Lapsus$’s claims or specify whether customer or contractor information had been compromised, stolen, or misused during the breach.
The underlying LiteLLM security incident emerged last week when researchers identified malicious code embedded within packages related to the Y Combinator-supported project. Although the harmful code was detected and eliminated within hours of discovery, the incident raised significant concerns given LiteLLM’s extensive adoption across the internet, with millions of daily downloads according to security company Snyk.
The breach prompted LiteLLM to overhaul its security protocols, including terminating its relationship with compliance provider Delve in favor of Vanta for certification services. However, the full scope of the supply chain attack remains under investigation, with the total number of affected organizations and potential data exposure still undetermined.
Photo by Jake Walker on Unsplash