Mercor Confirms Security Incident from LiteLLM Supply Chain Attack, Data Stolen

Mercor, an AI recruiting startup, has confirmed that it was impacted by the recent LiteLLM supply chain attack, marking it as one of the first downstream victims to publicly acknowledge the incident. The company stated on social media that it was 'one of thousands of companies' affected, emphasizing the widespread nature of the attack. Mercor is known for its collaborations with major firms like OpenAI and was valued at $10 billion as of October 2025.

In a statement, Mercor spokesperson Heidi Hagberg reiterated the company's commitment to customer privacy and security, stating, 'Our security team moved promptly to contain and remediate the incident.' The firm is currently conducting a thorough investigation with the assistance of third-party forensics experts.

The attack has been linked to the hacking group TeamPCP, while the notorious extortion group Lapsus$ claimed responsibility for stealing approximately 4 terabytes of data from Mercor, including 939 gigabytes of source code. They have reportedly offered the stolen data for sale to the highest bidder. While Mercor has not disclosed how Lapsus$ accessed its data, security researchers from Wiz have indicated that high-profile extortion groups are now collaborating with TeamPCP, which has been implicated in multiple supply chain attacks.

The ramifications of the LiteLLM attack are extensive, with estimates suggesting that as many as 500,000 machines may have been compromised. Experts predict that the number of downstream victims could rise significantly, with Mandiant Consulting's CTO indicating that over 1,000 SaaS environments are actively dealing with the fallout. As the investigation unfolds, it is clear that Mercor's incident is part of a larger pattern of supply chain vulnerabilities affecting the tech industry.