AI Recruiting Unicorn Mercor Hit by Major Supply Chain Hack

By the Technology Desk thenews9.org

Mercor, a highly valued artificial intelligence recruiting startup, has officially confirmed a security incident following a sweeping supply chain attack. The breach, which stems from a compromised open-source project called LiteLLM, highlights the growing vulnerabilities within the AI development ecosystem.

Mercor, which recently reached a staggering $10 billion valuation following a $350 million Series C funding round in October 2025, is a critical player in the AI pipeline. The company partners with industry heavyweights like OpenAI and Anthropic to train AI models by connecting them with specialized domain experts—ranging from scientists to doctors and lawyers. With more than $2 million in daily payouts to contractors, the startup’s data pool is a highly lucrative target.

The LiteLLM Supply Chain Attack

The breach was not a direct assault on Mercor’s internal servers, but rather a sophisticated supply chain attack. The vulnerability originated within LiteLLM, a massively popular open-source project used widely across the internet.

Security researchers discovered that a hacking collective known as TeamPCP successfully injected malicious code into a LiteLLM software package. Because the library is downloaded millions of times per day, the malicious code was inadvertently integrated into the systems of countless organizations. Mercor admitted it is just “one of thousands of companies” affected by the compromised code.

LiteLLM identified and removed the malicious package within hours of its discovery. In the aftermath, the Y Combinator-backed startup has overhauled its security protocols, shifting its compliance certifications from the controversial startup Delve to Vanta.

The Lapsus$ Extortion Threat

The situation for Mercor has been further complicated by the involvement of the notorious extortion hacking group Lapsus$. The gang recently took to its dark web leak site to claim responsibility for possessing Mercor’s stolen data.

To back up their claims, Lapsus$ published a sample of the allegedly exfiltrated data. The leaked materials reportedly include internal Slack communications, IT ticketing data, and highly sensitive video recordings of conversations between Mercor’s AI systems and its platform contractors.

Currently, cybersecurity experts are trying to determine exactly how Lapsus$ obtained this data from the initial TeamPCP supply chain attack.

Mercor’s Ongoing Investigation

Mercor has acknowledged the breach but remains tight-lipped about the specifics of the data loss.

Company spokesperson Heidi Hagberg confirmed that Mercor “moved promptly” to contain the threat and has brought in leading third-party forensics experts to conduct a thorough investigation. “We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible,” Hagberg stated.

However, Mercor declined to officially confirm whether the data leaked by Lapsus$ is authentic, or whether specific customer and contractor information has been permanently exfiltrated.

As investigations continue, the tech industry is bracing for a potential ripple effect. With LiteLLM deeply embedded in the infrastructure of thousands of companies, Mercor may simply be the first domino to fall in a much larger cybersecurity crisis.