Mercor, a popular AI recruiting startup, has identified a security incident involving a supply chain attack involving the open source project LiteLLM.
The AI startup told TechCrunch on Tuesday that it was “one of thousands of companies” affected by the recent compromise of the LiteLLM project, which was linked to a hacking group called TeamPCP. The incident was confirmed after extortion hacking group Lapsus$ claimed it had targeted Mercor and accessed its data.
It was not immediately clear how the Lapsus$ gang obtained the data stolen from Mercor as part of TeamPCP’s cyberattack.
Founded in 2023, Mercor works with companies including OpenAI and Anthropic to contract expert domain experts, including scientists, doctors and lawyers, in markets including India to train AI models. The startup says it has daily payouts of more than $2 million and has achieved a $10 billion valuation following a $350 million Series C round led by Felicis Ventures in October 2025.
Mercor spokeswoman Heidi Hagberg confirmed to TechCrunch that the company took “immediate action” to contain and resolve the security incident.
“We are conducting a thorough investigation with the support of leading third-party forensics experts,” Hagberg said. “We will communicate directly with our customers and contractors as appropriate and commit the resources necessary to resolve the issue as quickly as possible.”
Previously, Lapsus$ claimed responsibility for an apparent data breach on the leak site and shared data samples purportedly taken from Mercor, which TechCrunch reviewed. The sample includes material referencing Slack data, what appears to be ticketing data, and two videos purporting to show conversations between Mercor’s AI systems and contractors on the platform.
Tech Crunch Event
San Francisco, California
|
October 13-15, 2026
Hagberg declined to answer follow-up questions about whether the incident was related to Lapsus$’s claims or whether customer or contractor data was accessed, leaked or misused.
The LiteLLM compromise originally surfaced last week after malicious code was discovered in a package associated with the Y Combinator-backed startup’s open source project. Although the malware was identified and removed within hours, the incident came under close scrutiny because LiteLLM was so widely used on the Internet that the library was downloaded millions of times a day, according to security firm Snyk. The incident prompted LiteLLM to change its compliance processes, including switching from controversial startup Delve to Vanta for compliance certification.
As the investigation continues, it is unclear how many companies were affected by the LiteLLM-related incident or whether any data exposure occurred.
