Mercor AI Startup Confirms Security Incident Linked to Supply Chain Attack

Mercor, an innovative artificial intelligence (AI) recruiting startup that has been valued at $10 billion following its recent funding round, confirmed on Tuesday that it was one of thousands of companies affected by a supply chain attack involving the open-source project LiteLLM. The incident comes as another hacking group, Lapsus$, claimed responsibility for targeting Mercor and gaining access to sensitive data.

Details of the Security Incident

Mercor works with major AI firms such as OpenAI and Anthropic by contracting specialized domain experts like scientists, doctors, and lawyers from various markets including India. The startup facilitates over $2 million in daily payouts and has been a key player in training advanced AI models.

The security incident was first reported when Lapsus$, an extortion hacking group known for targeting high-profile tech companies, claimed responsibility for the breach. However, it is not yet clear how they obtained Mercor’s data as part of a larger attack on LiteLLM.

Response and Investigation

Mercor spokesperson Heidi Hagberg confirmed to TechCrunch that the company had taken immediate action to contain and remediate the security incident. “We are conducting a thorough investigation supported by leading third-party forensics experts,” said Hagberg, adding that they would continue to communicate with their customers and contractors.

The confirmation of this supply chain attack highlights the growing risks associated with open-source projects in the tech industry. As more companies rely on shared codebases for development, the potential impact of a single compromised project can ripple through multiple organizations.