Impact of Mercor Security Breach Unknown as Hacking Groups Claim Responsibility

In Focus

• Mercor helps OpenAI and Anthropic with AI training
• The data breach on the AI recruiting platform affected its LiteLLM project
• TeamPCP placed malicious code in LiteLLM to collect user credentials

AI startup Mercor has confirmed a security threat may have exposed sensitive user data, Mint reported. The Mercor security breach has been linked to a supply-chain attack that affected its open-source project, LiteLLM. Mercor provides data services to leading AI firms like Anthropic and OpenAI.

Which Hacking Groups Participated in the Attack?

The Mercor LiteLLM data breach attack has been traced to a hacking group called TeamPCP. This group is known to target software libraries that are widely used by developers when writing code.

But another group called Lapsus$ has claimed that it targeted the AI startup. Lapsus$ is known for using social engineering and phishing tactics to collect login credentials. The cybercrime group uses the credentials to access and steal sensitive information. The group is also widely recognized for attempting to extort its victims.

Mercor’s AI training data leak comes as Anthropic assesses risks following exposure of its autoDream agent. Mercor partners with AI companies like OpenAI and Anthropic. It supports model training by hiring specialists such as doctors, scientists, and lawyers. In October 2025, the AI startup raised $350 million in a Series C funding round led by Felicis Ventures, pushing its market valuation up to $10 billion.

How Did the LiteLLM Attack Happen?

TeamPCP reportedly placed malicious code in LiteLLM to collect user credentials. While Mercor identified the code and removed it within hours, it had already spread widely. While claiming responsibility for the OpenAI Anthropic contractor breach, Lapsus$ shared data allegedly stolen from Mercor.

A report by TechCrunch showed that the material appeared to include information linked to Slack, along with ticketing records. The sample also featured two videos that reportedly show interactions between the startup’s AI systems and contractors using its platform.

Mercor has reportedly contained the situation. The company also said that a third-party forensic probe has already been launched.

“The privacy and security of our customers and contractors is foundational to everything we do at Mercor. We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible,” Mercor spokesperson Heidi Hagberg noted.

Why Was LiteLLM Targeted?

According to cybersecurity company Synk, LiteLLM is downloaded millions of times per day. Developers use it to link their applications to the AI services offered by Anthropic, OpenAI, and other developers.

It’s not clear how many companies were affected by the LiteLLM-related data breach. Mercor has not confirmed whether the cyber incident was linked to Lapsus$. The company has also not confirmed whether customer and contractor data had been accessed and misused.