Incident Overview

Mercor, a startup that helps companies train artificial‑intelligence models by contracting specialized experts, confirmed that it was impacted by a recent cyberattack that originated from a supply‑chain compromise of the open‑source LiteLLM project. The company told TechCrunch that it was "one of thousands of companies" affected after malicious code was discovered in a package associated with LiteLLM, a library widely used across the internet. The supply‑chain intrusion was linked to a hacking group known as TeamPCP. At the same time, the extortion group Lapsus$ claimed responsibility for targeting Mercor and posted a sample of data it said it had taken from the company.

The leaked sample included references to Slack communications, ticketing data, and two videos that appeared to show conversations between Mercor’s AI systems and contractors on its platform. While the authenticity of the entire data set was not independently verified, TechCrunch reviewed the sample and reported its contents. Mercor’s spokesperson, Heidi Hagberg, declined to confirm whether the Lapsus$ claim was directly connected to the TeamPCP‑related supply‑chain attack or whether any customer or contractor data had been accessed, exfiltrated, or misused.

Company Background and Scale

Founded in 2023, Mercor works with high‑profile AI firms, including OpenAI and Anthropic, to provide domain‑specific expertise from professionals such as scientists, doctors, and lawyers. The startup reports facilitating more than $2 million in daily payouts to its contractors. Following a $350 million Series C round led by Felicis Ventures in October 2025, Mercor was valued at $10 billion.

Response and Ongoing Investigation

According to Hagberg, Mercor moved promptly to contain and remediate the security incident. The company engaged leading third‑party forensics experts to conduct a thorough investigation and pledged to keep customers and contractors informed as appropriate. Mercor also stated that it would devote the necessary resources to resolve the matter as quickly as possible.

The LiteLLM compromise itself was discovered last week, and the malicious code was removed within hours. The incident drew attention because the library is downloaded millions of times per day, according to security firm Snyk. In response, LiteLLM announced changes to its compliance processes, switching from a controversial compliance partner to Vanta for certifications. It remains unclear how many organizations were affected by the LiteLLM‑related breach or whether any data exposure occurred, as investigations continue.

Overall, the situation underscores the growing risk of supply‑chain attacks on widely used open‑source components and highlights the challenges companies face when multiple threat actors target the same vulnerability.

Used: News Factory APP - news discovery and automation - ChatGPT for Business