Mercor AI Recruiting Startup Confirms Security Incident
Mercor, a well-known AI recruiting startup, has recently acknowledged a security breach related to a supply chain attack involving the open-source project LiteLLM.
The startup disclosed to JS that it was among the numerous companies impacted by a compromise of LiteLLM’s project, which was reportedly linked to a hacking group known as TeamPCP. This confirmation comes in the wake of extortion hacking group Lapsus$ claiming to have targeted Mercor and accessed its data.
The method through which the Lapsus$ group obtained the stolen data from Mercor as part of TeamPCP’s cyberattack remains unclear at this time.
Established in 2023, Mercor collaborates with firms like OpenAI and Anthropic to train AI models by enlisting specialized domain experts such as scientists, doctors, and lawyers from markets like India. The startup facilitates over $2 million in daily payouts and achieved a valuation of $10 billion after securing a $350 million Series C round led by Felicis Ventures in October 2025.
Heidi Hagberg, a spokesperson for Mercor, confirmed that the company promptly took action to contain and address the security incident.
“We are currently conducting a thorough investigation with the assistance of leading third-party forensics experts,” said Hagberg. “We are committed to communicating directly with our customers and contractors as necessary and are dedicating the required resources to resolve the matter expeditiously.”
Previously, Lapsus$ took credit for the alleged data breach on its leak site and shared a sample of data purportedly obtained from Mercor, which was reviewed by JS. The data sample included references to Slack data, ticketing data, and two videos displaying interactions between Mercor’s AI systems and contractors on its platform.
Techcrunch Event
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
Hagberg declined to respond to further inquiries regarding the potential connection between the incident and Lapsus$’ claims, as well as whether any customer or contractor data was compromised, extracted, or misused.
The compromise of LiteLLM initially came to light after malicious code was detected in a package associated with the Y Combinator-backed startup’s open-source project. While the malicious code was swiftly identified and removed, the incident raised concerns due to LiteLLM’s widespread usage across the internet, with the library being downloaded millions of times daily, as reported by security firm Snyk. This event prompted LiteLLM to enhance its compliance procedures, transitioning from Delve to Vanta for compliance certifications.
The extent of the impact on companies from the LiteLLM-related incident and whether any data exposure occurred remain uncertain as investigations continue.