Mercor AI has confirmed a significant cybersecurity breach after the notorious hacking group Lapsus$ claimed responsibility for stealing approximately 4 terabytes of sensitive company data. The attackers have reportedly put the stolen data up for auction on the dark web, escalating concerns around data exposure and extortion. According to initial reports, the breach originated from a supply chain compromise involving the widely used open-source library LiteLLM. The attackers allegedly gained access through Mercor’s Tailscale VPN, enabling them to exfiltrate a vast amount of internal data.
Mercor AI stated that safeguarding customer and contractor data remains its top priority. The company attributed the breach to a broader supply chain attack tied to the LiteLLM library rather than a direct internal vulnerability. Mercor’s security team has since contained the incident and launched a detailed investigation in collaboration with third-party forensic experts to assess the full scope and impact of the breach.
The breach has been traced back to late March 2026, when a threat actor group known as TeamPCP compromised the PyPI publishing credentials for LiteLLM. Malicious code was injected into versions 1.82.7 and 1.82.8 of the library, introducing a multi-stage backdoor designed to harvest credentials and maintain persistent access. Because LiteLLM is widely integrated into AI-driven applications, the malicious package was unknowingly deployed across numerous organizations, amplifying the scale of the attack.
Founded in 2023, Mercor AI operates a fast-growing AI recruitment platform that connects specialized professionals with leading AI companies. The platform reportedly generates over $500 million in revenue and facilitates more than $2 million in daily payouts. The breach poses serious operational and reputational risks, particularly due to the exposure of sensitive contractor data and internal AI systems. The leak of source code and KYC (Know Your Customer) materials could have long-term implications for both security and compliance.
Lapsus$, known for targeting high-profile technology companies, is attempting to sell the stolen data through a public auction model. The group has a history of using aggressive extortion tactics, including public leaks, to pressure victims into paying ransoms when negotiations fail. This incident underscores a broader cybersecurity trend where attackers exploit vulnerabilities in upstream software dependencies to infiltrate downstream organizations at scale. As reliance on open-source components continues to grow, such supply chain attacks are becoming increasingly impactful and difficult to detect. The Mercor AI breach serves as a stark reminder for organizations to strengthen third-party risk management, continuously monitor software dependencies, and adopt stricter security controls to mitigate evolving threats in the modern digital ecosystem.
Recommended Cyber Technology News:
- Censys Raises $70 Million To Expand AI Security Platform
- Codenotary Launches AgentMon to Secure and Monitor AI Agent Networks
- Depthfirst Raises $80M for AI Security Platform
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
