A recent Mercor cyberattack has brought renewed attention to the risks associated with open-source software dependencies, after the AI recruiting startup confirmed it was impacted by a broader supply chain compromise. The Mercor data breach, which is still under investigation, has been linked to a malicious incident involving the widely used LiteLLM project.
In a conversation with The Cyber Express, a Mercor spokesperson explained the details of the incident. According to the spokesperson, Mercor is in the “early stages of a thorough investigation assisted by third-party forensics experts and will provide details directly to you as appropriate. We can say there has been a limited impact on our operations. We are devoting the resources necessary to resolving the matter and appreciate your understanding and patience.”
The data breach at Mercor stems from a security incident tied to LiteLLM, an open-source project used extensively across the AI ecosystem. Mercor acknowledged that it was “one of thousands of companies” affected by the compromise, which has been attributed to a hacking group known as TeamPCP. This Mercor cyberattack highlights the growing threat of supply chain attacks, where attackers infiltrate widely used software components to gain access to multiple targets at once.
The situation became more complex when the extortion-focused hacking group Lapsus$ claimed responsibility for targeting Mercor and accessing its data. However, it remains unclear how Lapsus$ obtained the information or whether it directly leveraged the LiteLLM vulnerability as part of the Mercor data breach. The lack of clarity has added to the uncertainty surrounding the scope and impact of the incident.
Company Background and Scale of Operations
Founded in 2023, Mercor has rapidly positioned itself as a key player in the AI talent ecosystem. The company collaborates with major AI firms, including OpenAI and Anthropic, to help train machine learning models. It does so by connecting organizations with specialized professionals such as scientists, doctors, and lawyers, many of whom are based in global markets like India.
Mercor has reported facilitating more than $2 million in daily payouts to its network of contractors. Its growth trajectory has been notable, with the company reaching a $10 billion valuation following a $350 million Series C funding round led by Felicis Ventures in October 2025. This scale makes the data breach at Mercor particularly significant, as any disruption or exposure could potentially affect a large network of users and partners.
Response to the Mercor Cyberattack
In response to the Mercor cyberattack, company spokesperson Heidi Hagberg stated that the organization acted quickly to contain the issue. She noted that Mercor had “moved promptly” to address the incident and limit its potential impact.
“We are conducting a thorough investigation supported by leading third-party forensics experts,” Hagberg said. “We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”
This response indicates that Mercor is treating the data breach as urgent, although specific details about the extent of the breach or the type of data potentially exposed have not yet been disclosed.
Origins of the LiteLLM Security Incident
The root cause of the data breach at Mercor can be traced back to the LiteLLM project, where malicious code was discovered in one of its packages. The issue first came to light the previous week and was addressed within hours of detection. Despite the swift response, the incident raised alarms due to LiteLLM’s widespread adoption.
According to security firm Snyk, LiteLLM is downloaded millions of times per day, making it a critical component in many AI workflows. The scale of its usage meant that even a brief compromise could have far-reaching consequences, as seen in the Mercor cyberattack and similar incidents affecting other organizations.
In the aftermath, LiteLLM initiated changes to its compliance and security processes. One notable adjustment included transitioning its compliance certifications from Delve to Vanta, reflecting an effort to strengthen oversight and rebuild trust following the breach.
Ongoing Investigation and Unanswered Questions
Despite the available information, several key questions remain unanswered about the Mercor data breach. It is still unclear how many companies were ultimately impacted by the LiteLLM compromise or whether sensitive data was definitively exposed in the case of Mercor.
At the time of reporting, no additional official statements have been released beyond what Mercor shared with media outlets such as TechCrunch. Attempts to obtain further details have not yielded new information, leaving the full scope of the data breach at Mercor uncertain.
The Mercor cyberattack highlights how well-established companies can be affected by weaknesses in third-party tools, particularly those that are widely adopted across industries. The Mercor data breach remains an ongoing situation, with cybersecurity experts and industry observers closely monitoring developments. Further updates are expected as more information becomes available about the attack, its origins, and its broader implications.
