Mercor says it was hit by a cyberattack linked to the open source LiteLLM project

MercorA well-known recruitment AI, has confirmed a security incident linked to a cyber attack affecting the open source LiteLLM project.

The AI ​​startup told TechCrunch on Tuesday that it was “one of thousands of companies” affected by the recent hack of the LiteLLM project, which was linked to a hacking group called TeamPCP. Confirmation of the incident comes as the hacking group Lapsus$ said it targeted Mercor and obtained its information.

It was not immediately clear how the Lapsus$ team obtained the data stolen from Mercor as part of the TeamPCP cyberattack.

Founded in 2023, Mercor works with companies including OpenAI and Anthropic to train AI models by collaborating with specialized experts such as scientists, doctors, and lawyers from markets including India. The startup claims to support more than $2 million in daily payments and it was its value is $10 billion following a $350 million Series C round led by Felicis Ventures in October 2025.

Mercor spokeswoman Heidi Hagberg confirmed to TechCrunch that the company “moved quickly” to fix and correct the incident.

“We are conducting a thorough investigation with the help of third-party legal experts,” Hagberg said. “We will continue to communicate with our customers and contractors as directly as possible and provide the necessary resources to resolve this issue as soon as possible.”

Earlier, Lapsus$ claimed to be responsible for the tampering that appeared on its leak page and shared samples of what it said was taken from Mercor, which TechCrunch reviewed. The samples included Slack data and what appeared to be advertisements, as well as two videos showing conversations between Mercor’s AI machine and contractors on its platform.

Hagberg declined to answer follow-up questions about whether the incident was related to Lapsus$’s claims, or whether any customers or contractors were accessed, leaked, or misused.

LiteLLM price changes appeared first last week after malicious code was found in a package linked to a Y Combinator-backed startup-source project. Although the malicious code was detected and removed after a few hours, the incident also highlighted the fact that LiteLLM is widely used on the Internet, the library is downloaded millions of times a day, according to the security company Snyk. The incident also prompted LiteLLM to revise its compliance procedures, including a change from Delve’s controversial triggers go to Vanta to get certificates.

It is not yet clear how many companies were affected by the LiteLLM incident or whether any disclosures were made, as the investigation continues.