Mercorpopular AI recruiting startup has confirmed a security incident involving a supply chain attack involving its open source LiteLLM project.
The artificial intelligence startup told TechCrunch on Tuesday that it is “one of thousands of companies” affected by the recent compromise of the LiteLLM project, which is linked to a hacking group called TeamPCP. The confirmation of the incident comes as extortion hacking group Lapsus$ claims to have targeted Mercor and gained access to its data.
It was not immediately clear how the Lapsus$ gang obtained the data stolen from Mercor as part of TeamPCP’s cyber attack.
Founded in 2023, Mercor works with companies including OpenAI and Anthropic to train AI models by contracting specialized domain experts such as scientists, doctors and lawyers from markets including India. The startup says it facilitates more than $2 million in daily payments It is valued at 10 billion dollars Following a $350 million Series C round led by Felicis Ventures in October 2025.
Mercor spokeswoman Heidi Hagberg confirmed to TechCrunch that the company is “moving quickly” to prevent and resolve the security incident.
“We conduct a thorough investigation supported by leading third-party forensic experts,” Hagberg said. “We will continue to be in direct contact with our customers and contractors as necessary and will devote the necessary resources to resolve the issue as quickly as possible.”
Earlier, Lapsus$ claimed responsibility for the apparent data breach on the leak site and shared a sample of data allegedly taken from Mercor, which TechCrunch reviewed. Examples include material referencing Slack data and what appears to be ticket data, as well as two videos showing conversations between contractors on Mercor’s AI systems and platform.
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
Hagberg declined to answer further questions about whether the incident was related to the allegations by Lapsus$ or whether any customer or contractor data was accessed, leaked or misused.
A concession of LiteLLM first appeared last week after malicious code was discovered in a package associated with the Y Combinator-backed startup’s open source project. Although the malicious code was identified and removed within hours, the incident gained attention due to the widespread use of LiteLLM on the Internet, with the library being downloaded millions of times per day by security firm Snyk. The incident also prompted LiteLLM to make changes to its compliance processes, including: a move from controversial startup Delve to Vantaa for compliance certificates.
It is not yet clear how many companies were affected by the LiteLLM incident or whether any information has been disclosed, as investigations are ongoing.
