Mercor, a ten billion dollar artificial intelligence recruiting firm, recently confirmed a major data breach originating from a supply chain attack on the open-source LiteLLM project. The incident has impacted thousands of global organizations relying on the library, with the Lapsus hacking group claiming to have stolen sensitive internal communications, ticketing data, and platform interaction videos.

Mercor recently confirmed it fell victim to a significant cyberattack after malicious code was injected into LiteLLM, a widely used open-source library that many companies utilize for their artificial intelligence operations. The breach has sent ripples through the tech industry because LiteLLM serves as a critical infrastructure component for thousands of businesses worldwide. While the initial compromise of the code has been attributed to a group known as TeamPCP, the high-profile extortion collective Lapsus later claimed responsibility for the actual theft of data from Mercor's systems.

The hackers allegedly gained access to a vast repository of sensitive internal information, including the company’s Slack communications and various ticketing systems. Lapsus also claimed to have exfiltrated video recordings of user interactions within the Mercor platform, raising significant privacy concerns for both the company and its clients. This variety of stolen data suggests the attackers had deep visibility into the startup's internal operations and day-to-day business logic before the breach was discovered.

In response to the detection of the unauthorized activity, Mercor immediately initiated its incident response protocols to secure its environment. The company brought in third-party forensic experts to conduct a comprehensive investigation into the scope of the leak and to ensure that the malicious entry points were fully closed. Containment procedures were prioritized to prevent further data exfiltration and to protect the integrity of their recruiting platform and client data.

The exact nature of the relationship between TeamPCP and Lapsus remains a point of investigation for cybersecurity analysts. It is currently unclear if the groups collaborated directly or if Lapsus$ simply took advantage of a vulnerability originally exploited by the other party. This ambiguity highlights the complex and often overlapping nature of modern cybercriminal ecosystems, where one group may handle the initial breach while another focuses on the subsequent extortion and data distribution.

As the investigation continues, the incident serves as a stark reminder of the risks associated with supply chain vulnerabilities in the artificial intelligence sector. Even a multi-billion dollar startup can be compromised through its reliance on shared open-source tools if those tools are successfully targeted. Mercor is expected to continue working with law enforcement and security specialists to mitigate the fallout and strengthen its defenses against future sophisticated injections and unauthorized access attempts.

Source: https://techcrunch.com/2026/03/31/mercor-says-it-was-hit-by-cyberattack-tied-to-compromise-of-open-source-litellm-project/