Mercor, a popular AI recruitment startup, has confirmed a security incident related to a supply chain attack involving its open source project LiteLLM.
The AI startup told TechCrunch on Tuesday that it was “one of thousands” affected by the recent breach of the LiteLLM project associated with a hacking group called TeamPCP. Confirmation of the incident came after extortion hacking group Lapsus$ claimed to have targeted Mercor and accessed its data.
It was not immediately clear how the Lapsus$ gang obtained the data stolen from Mercor as part of the TeamPCP cyberattack.
Founded in 2023, Mercor works with companies like OpenAI and Anthropic and contracts with subject matter experts such as scientists, doctors and lawyers in markets including India to train its AI models. The startup says it facilitates more than $2 million in payouts every day and was valued at $10 billion after a $350 million Series C round led by Felicis Ventures in October 2025.
Melcor spokesperson Heidi Hagberg confirmed to TechCrunch that the company “acted quickly” to contain and remediate the security incident.
“We are conducting a thorough investigation with the assistance of leading third-party forensic experts,” Hagberg said. “We will continue to communicate directly with customers and contractors as necessary and commit the necessary resources to resolve issues as quickly as possible.”
Previously, Lapsus$ claimed responsibility for an apparent data breach on a leak site and shared a sample of data purportedly taken from Mercor, which was investigated by TechCrunch. The samples included materials that referenced what appeared to be Slack data and ticketing data, as well as two videos purporting to show conversations between Melkor’s AI system and contractors on its platform.
tech crunch event
San Francisco, California
|
October 13-15, 2026
Mr. Hagberg declined to answer further questions about whether the incident was related to Lapsas$’s claims or whether customer or contractor data had been accessed, leaked or misused.
The LiteLLM breach first surfaced last week after malicious code was discovered in a package related to the Y Combinator-backed startup’s open source project. Although the malicious code was identified and removed within hours, the incident drew increased scrutiny because LiteLLM is widely used on the Internet and the library was downloaded millions of times a day, according to security firm Snyk. The incident also prompted LiteLLM to make changes to its compliance processes, including moving its compliance certification from controversial startup Delve to Vanta.
The number of companies affected by LiteLLM-related incidents and whether a data breach occurred remains unclear as investigations continue.
