Casablanca – Mercor, the AI recruiting startup valued at $10 billion, has said it was among the companies caught in the fallout from the recent LiteLLM supply chain breach, becoming one of the first known downstream victims to publicly confirm exposure.
The company told TechCrunch it was “one of thousands of companies” affected after malicious versions of the widely used LiteLLM Python package were briefly pushed to PyPI in late March.
Mercor—which works with companies like OpenAI and Anthropic by connecting them with specialists such as scientists, lawyers, and doctors to help train AI models—said its security team moved quickly to contain and remediate the issue and has brought in third-party forensics experts to investigate what happened.
The disclosure came after the Lapsus$ extortion group listed Mercor on its leak site on Monday, claiming the theft of more than 4TB of internal data that is now being auctioned.
A sample reviewed by TechCrunch appeared to include Slack-related material, ticketing data, and two videos that allegedly showed conversations between Mercor’s AI systems and contractors using its platform.
Read also: Drift Hack Sees $280 Million Stolen in Biggest Crypto Exploit of 2026
Mercor declined to say whether the incident was directly tied to the Lapsus$ claims or whether customer or contractor data had been exfiltrated.
The broader breach traces back to LiteLLM versions 1.82.7 and 1.82.8, which were available for roughly 40 minutes on March 24 before being quarantined.
LiteLLM said the poisoned releases included credential-stealing malware capable of scanning for environment variables, SSH keys, cloud credentials, Kubernetes tokens, and database passwords, then sending the data to attacker-controlled domains.
The company later released a clean version, v1.83.0, after overhauling its release pipeline with isolated environments and stricter security checks.
Because LiteLLM is deeply embedded across AI tooling stacks and is downloaded millions of times a day, the blast radius is still unclear.
Investigators are still trying to determine how many companies were affected and what data, if any, was ultimately exposed. For Mercor, the unanswered question is whether a short-lived compromise in a dependency chain turned into something much bigger.
Morocco World News is also on X — check out our latest posts now! Get MWN on iOS and Android for instant access to breaking news.