Mercor Says It Was Hit By Cyberattack Tied To Compromise Of Open-source Litellm Project

Mercor, a celebrated AI recruiting startup, has confirmed a information incident linked to a proviso concatenation onslaught involving nan open-source task LiteLLM.

The AI startup told TechCrunch connected Tuesday that it was “one of thousands of companies” affected by a caller discuss of LiteLLM’s project, which was linked to a hacking group called TeamPCP. Confirmation of nan incident comes arsenic extortion hacking group Lapsus$ claimed it had targeted Mercor and gained entree to its data.

It’s not instantly clear really nan Lapsus$ pack obtained nan stolen information from Mercor arsenic portion of TeamPCP’s cyberattack.

Founded successful 2023, Mercor useful pinch companies including OpenAI and Anthropic to train AI models by contracting specialized domain experts specified arsenic scientists, doctors, and lawyers from markets including India. The startup says it facilitates much than $2 cardinal successful regular payouts and was valued astatine $10 billion pursuing a $350 cardinal Series C information led by Felicis Ventures successful October 2025.

Mercor spokesperson Heidi Hagberg confirmed to TechCrunch that nan institution had “moved promptly” to incorporate and remediate nan information incident.

“We are conducting a thorough investigation supported by starring third-party forensics experts,” said Hagberg. “We will proceed to pass pinch our customers and contractors straight arsenic due and give nan resources basal to resolving nan matter arsenic soon arsenic possible.”

Earlier, Lapsus$ claimed work for nan evident information breach connected its leak tract and shared a sample of information allegedly taken from Mercor, which TechCrunch reviewed. The sample included worldly referencing Slack information and what appeared to beryllium ticketing data, arsenic good arsenic 2 videos purportedly showing conversations betwixt Mercor’s AI systems and contractors connected its platform.

Hagberg declined to reply follow-up questions connected whether nan incident was connected to claims by Lapsus$, aliases whether immoderate customer aliases contractor information had been accessed, exfiltrated, aliases misused.

The discuss of LiteLLM originally surfaced past week aft malicious codification was discovered successful a package associated pinch nan Y Combinator-backed startup’s open-source project. While nan malicious codification was identified and removed wrong hours, nan incident drew scrutiny owed to LiteLLM’s wide usage astir nan internet, pinch nan room downloaded millions of times per day, per information patient Snyk. The incident besides prompted LiteLLM to make changes to its compliance processes, including shifting from arguable startup Delve to Vanta for compliance certifications.

It remains unclear really galore companies were affected by nan LiteLLM-related incident aliases whether immoderate information vulnerability occurred, arsenic investigations continue.