Mercor, a $10 billion AI recruiting and training data startup whose clients include OpenAI, Anthropic, and Meta, confirmed on March 31 that it was compromised as part of a supply chain attack targeting the widely used open source LiteLLM library. Meta has indefinitely suspended its partnership with the company while investigations are ongoing. OpenAI is investigating the incident but has not paused its current projects with Mercor.
Mercor recruits domain experts in medicine, law, science, and literature to generate proprietary training datasets for large language models. The company raised $350 million in a Series C round last October and is one of Silicon Valley’s most prominent AI infrastructure startups. The sensitivity of this breach goes beyond the company itself. AI labs treat their training data and methodologies as core competitive intelligence, and Mercor handles bespoke datasets for multiple major labs simultaneously. It remains unclear whether the exposed data would meaningfully help a competitor, but that question is now driving urgent investigations across the industry.
The Attack Chain
The incident traces back to a compromise of the Trivy security scanning tool approximately one week before the LiteLLM incident. Using a maintainer’s compromised credentials, TeamPCP published 2 malicious versions of the LiteLLM PyPI package, versions 1.82.7 and 1.82.8, on March 27. The packages were available for roughly 40 minutes but were automatically pulled by thousands of environments. LiteLLM is estimated to be present in 36% of cloud environments and downloaded approximately 97 million times per month. The malicious code was designed to harvest credentials at scale across potentially thousands of affected organizations.
Mercor confirmed to staff on March 31 that it was among the impacted organizations, describing itself as “one of thousands of companies” affected. A third-party forensics investigation is underway.
Extortion Claims and What Was Allegedly Taken
A threat actor operating under the Lapsus$ name listed Mercor on a leak site and claimed to have obtained more than 4 terabytes of data, which it is auctioning. The claimed haul includes a database exceeding 200 gigabytes, nearly 1 terabyte of source code, and approximately 3 terabytes of video and other data, along with VPN credentials and encryption keys. Samples published by the actor and reviewed by reporters included Slack data, internal ticketing information, and videos of conversations between Mercor’s AI systems and contractors.
Security researchers have noted that the Lapsus$ name is now used by multiple actors and that the LiteLLM connection points to TeamPCP or a connected group as the likely source of the breach. Recorded Future analyst Allan Liska said publicly that nothing in the dark web posts connects the activity to the original Lapsus$ group. TeamPCP has stated its intention to partner with ransomware and extortion groups to monetize access from its supply chain campaign, and researchers say the group has also been spreading a data wiping worm called CanisterWorm through cloud instances with Iranian language settings, suggesting possible geopolitical motivations alongside financial ones.
Fallout Across the AI Industry
Meta’s pause is indefinite and affects contractors staffed on Meta-specific projects, who cannot log hours until the work resumes. One affected project, internally called Chordus, involves teaching AI models to use multiple internet sources to verify responses. OpenAI confirmed the incident does not affect its user data but is assessing potential exposure of proprietary training data. Anthropic has not commented publicly.
Mercor and its competitors, including Surge, Handshake, Turing, Labelbox, and Scale AI, are known for operating with extreme secrecy around client work, using internal codenames for projects. That culture of confidentiality now sits at the center of an industry-wide vendor security reckoning. A class action lawsuit has already been filed alleging Mercor failed to protect the data of more than 40,000 individuals.
The Mercor breach is the latest in a string of supply chain incidents hitting the technology sector. Earlier this week, Cisco confirmed source code was stolen through the same Trivy supply chain attack that enabled the LiteLLM compromise. The Axios JavaScript library was also hit by a separate supply chain attack delivering a cross-platform remote access trojan around the same time, underscoring how open source dependencies have become a primary vector for large-scale intrusions.
