AI Firm Mercor Confirms Breach as Hackers Claim 4TB of Stolen Data

Summary

Mercor, an AI recruitment firm valued at $10 billion, confirmed it was compromised during a widespread supply chain attack targeting LiteLLM, an open-source tool used for AI model communication. Attackers published malicious LiteLLM versions (1.82.7 and 1.82.8) for approximately 40 minutes, during which millions of automated deployments may have pulled the compromised code. The extortion group Lapsus$ subsequently claimed responsibility for stealing 4TB of sensitive data, including candidate profiles, source code, API keys, and internal systems, though the scope and link to the initial LiteLLM compromise remain unconfirmed.

Full text

Data BreachesAI Firm Mercor Confirms Breach as Hackers Claim 4TB of Stolen Data AI firm Mercor confirms a breach linked to a LiteLLM supply chain attack, as hackers claim to have stolen 4TB of sensitive data and internal systems. byDeeba AhmedApril 3, 20263 minute read Following a compromise of the open-source tool LiteLLM, AI firm Mercor reports a security incident. Learn how hacking groups TeamPCP and Lapsus$ allegedly accessed sensitive candidate profiles and internal data. The AI recruitment firm Mercor has confirmed it is dealing with a security incident following a widespread cyberattack linked to a compromised open-source tool. The breach is part of a large-scale supply chain attack that impacted thousands of organisations globally. For your information, supply chain attacks work by inserting malicious code into widely used software, allowing attackers to compromise multiple targets at once through trusted dependencies. A 40-minute window of chaos The incident dates back to late March 2026 and involves LiteLLM, an open-source tool used to enable communication between different AI models. According to reports, attackers published two malicious versions of the LiteLLM PyPI package, versions 1.82.7 and 1.82.8. While the compromised packages were available for only around 40 minutes, the impact window was significant. Research from Snyk shows LiteLLM sees millions of downloads per day. This means organisations running automated CI/CD pipelines may have unknowingly pulled the malicious code during that brief period. Data from Wiz Research further indicates LiteLLM is present in roughly 36% of cloud environments, highlighting the scale of potential exposure. Mercor Confirmation Mercor confirmed it was one of thousands of organisations affected by the LiteLLM supply chain attack. The incident has been linked to the TeamPCP group, which reportedly used compromised maintainer credentials to publish malicious package versions. As per the company’s spokesperson, the firm moved promptly to contain and remediate the incident and has brought in third-party forensics experts to investigate. Mercor’s official response on X.com LiteLLM is widely used to enable communication between AI models and is present in roughly 36% of cloud environments, according to Wiz Research. Researchers traced the breach back to an earlier compromise involving the Trivy tool, which exposed sensitive tokens used in downstream development workflows. Claims of massive data theft The situation worsened after the Lapsus$ extortion group listed Mercor on its leak site, claiming to possess 4TB of stolen data. According to the listing, the data allegedly includes candidate profiles, personally identifiable information, employer data, and technical assets such as source code, API keys, and secrets. The listing also references data linked to Tailscale VPN usage, along with video interviews between AI systems and contractors. These claims have not been independently verified, and Mercor has not confirmed the scope or authenticity of the alleged leak. It also remains unclear how Lapsus$ obtained the data and whether it is directly linked to the LiteLLM compromise. However, security researchers have suggested a possible link between Lapsus$ and the TeamPCP group behind the supply chain attack, though no formal collaboration has been confirmed. Lapsu$ Data Leak Site Listing Mercor Mercor is a major player in the tech world that helps giants like OpenAI and Anthropic find experts like doctors and lawyers to help train their AI systems. The company was recently valued at $10 billion following a $350 million funding round led by Felicis Ventures in October 2025, making it a high-profile target for such an attack. Nevertheless, while containment efforts are underway, the case highlights how a brief supply chain compromise can cascade across widely used software dependencies, affecting thousands of organisations within minutes. Editor’s note: At the time of writing, the Mercor auction listing had been removed from the Lapsus$ hackers’ official website. While the reason for its removal remains unclear, it suggests two possibilities: either the hackers have found a buyer, or Mercor may have been in discussions with them to halt the auction. However, this is only an indication, and nothing has been confirmed. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. Cyber AttackCybersecuritydata breachLapsusLiteLLMMercorsecurityTeamPCPVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Data Breaches Hacking News Leaks Ticketmaster Breach: Hackers Leak 10M ‘Unrefreshable’ Ticket Barcodes The latest Ticketmaster leak impacts top celebrities and events including Taylor Swift, Jennifer Lopez, and Justin Timberlake concerts.… byWaqas Read More Data Breaches Cyber Attacks Security Iran-Linked Handala Hackers Claim Major Hacks on Stryker and Verifone Iran-linked Handala hackers claim cyberattacks on Stryker and Verifone. Stryker confirms network disruption while Verifone says no breach evidence found. byWaqas Read More Security Data Breaches Leaks Database Mess Up: Aussie Food Giant Patties Foods Leaks Trove of Data Data leak at Australian fast food giant Patties Foods exposes critical customer data! Learn what information may be… byDeeba Ahmed Read More Security Cyber Attacks Data Breaches News LockBit Ransomware Claims 33 TB of US Federal Reserve Data for Ransom LockBit ransomware claims to hold 33 TB of data from the US Federal Reserve for ransom. Hackread.com investigates, reaching out to CISA for comments on the breach and ongoing negotiations. Stay updated! byWaqas

Indicators of Compromise

• malware — LiteLLM (versions 1.82.7, 1.82.8)
• malware — Trivy

Entities