Mercor confirms cyberattack as hackers claim 4TB of critical data in possession
AI recruiting startup Mercor has confirmed it was impacted by a supply chain attack via the open-source LiteLLM incident. Meanwhile, a hacker group is claiming access to several terabytes of data, including the company’s source code.
-
Mercor confirmed a supply chain cyberattack through the compromised LiteLLM Python library used by AI developers worldwide.
-
Hacker group Lapsus$ claims possession of 4TB of Mercor data including source code, databases, and VPN account information.
-
LiteLLM library with 97 million monthly downloads was infected with credential-harvesting malware by TeamPCP threat actors.
The fallout from the LiteLLM compromise has begun. Mercor, an AI-powered talent marketplace, confirmed being “impacted by a supply chain attack involving LiteLLM.” The latter, a massively popular Python library used by AI developers, was recently infected with credential harvesting malware.
“Our security team moved promptly to contain and remediate the incident. We are conducting a thorough investigation supported by leading third-party forensics experts,” Mercor explained on X.
The company’s comments come after a prominent hacker group, Lapsus$, claimed the Mercor attack, posting the company on its blog. Our research team attempted to investigate attacker claims. However, at the time of writing, the data was inaccessible.
We will update this article once our team has new information related to the Mercor data leak.
What information did the Mercor data leak expose?
Lapsus$ claims broad access to Mercor information, ranging from databases to source code. According to the gang, they have four terabytes of the company’s data in their possession, including an unnamed database weighing over 200GB and a 3TB drive containing video and verification data.
Moreover, Lapsus$ claims to have access to 939GB of the company’s source code and all data from the company’s TailScale VPN account.
We’ve reached out to the company for additional information and will update this article once we receive a reply.
If confirmed, the supply chain data leak could be damaging to the company’s security posture. While the extent and sensitivity of the details in the allegedly leaked database and bucket are unclear, source code leaks are extremely dangerous.
For one, attackers would exploit leaked source code to identify flaws and vulnerabilities that they later use to conduct cyberattacks. These types of attacks are particularly dangerous because targeted organizations might not be aware of security flaws hidden deep within the source code.
Beginning of the LiteLLM data breach tsunami?
The global compromise occurred last week, after developers noted a mass malware infection distributed via LiteLLM, a widely popular library with 97 million monthly downloads on PyPI.
Developers use it as a unified interface to connect their apps to over 100 AI services from OpenAI, Anthropic, and others.
A threat actor group calling itself TeamPCP took credit for the attack. Interestingly, the gang said it will partner with major illicit forums and ransomware gangs, promising to send invites to hundreds of thousands of users so that as many people as possible can start extorting companies.
Lapsus$ targeting Mercor likely signifies the start of a real collaboration between TeamPCP and an extortion gang. If the past is any indicator, numerous data breaches and data leaks will plague the market in the months to come.
For example, data leak cartel ShinyHunters relentlessly posts victim after victim with data obtained via the Salesforce cyberattack.
And between 2023 and 2025, Cl0p cyber cartel would employ similar tactics after gaining access to vast amounts of data via the MOVEIT exploit, making it one of the largest hacking campaigns ever, hitting nearly 100 million individuals.
