Mercor, an AI recruiting firm of notable reputation, has reported a security breach linked to a supply chain attack involving the open-source initiative LiteLLM.

On Tuesday, the AI company informed TechCrunch that it was “one of numerous firms” impacted by a recent breach of the LiteLLM project, which has ties to a hacking collective known as TeamPCP. The confirmation of this breach comes as the extortion hacker group Lapsus$ claimed to have targeted Mercor and accessed its information.

It is currently uncertain how the Lapsus$ group acquired the compromised data from Mercor amid TeamPCP’s cyber assault.

Established in 2023, Mercor collaborates with organizations such as OpenAI and Anthropic to enhance AI models by hiring specialized domain experts, including scientists, doctors, and lawyers from regions such as India. The company claims to facilitate over $2 million in daily transactions and was assessed at $10 billion following a $350 million Series C funding round led by Felicis Ventures in October 2025.

Mercor representative Heidi Hagberg confirmed to TechCrunch that the firm had “acted swiftly” to address and resolve the security issue.

“We are undergoing a comprehensive investigation aided by top third-party forensic specialists,” Hagberg stated. “We will maintain open communication with our clients and contractors directly as deemed appropriate and allocate the necessary resources to address the situation as quickly as possible.”

Previously, Lapsus$ took responsibility for the suspected data breach on its leaking platform and provided a sample of data supposedly obtained from Mercor, which TechCrunch examined. The sample contained material related to Slack data and what seemed to be ticketing information, along with two videos allegedly depicting dialogues between Mercor’s AI frameworks and contractors on its platform.

Hagberg chose not to respond to follow-up inquiries regarding whether the incident was associated with the assertions made by Lapsus$, or whether any data belonging to customers or contractors had been accessed, exfiltrated, or misappropriated.

The compromise of LiteLLM initially came to light last week after malicious code was identified in a package tied to the Y Combinator-supported startup’s open-source project. While the harmful code was detected and removed within hours, the event raised concerns due to LiteLLM’s extensive adoption online, with the library downloaded millions of times daily, according to security firm Snyk. The occurrence also led LiteLLM to implement adjustments in its compliance measures, including a switch from the controversial startup Delve to Vanta for compliance certifications.

It is still unclear how many businesses were impacted by the LiteLLM-related incident or if any data exposure took place, as investigations are ongoing.