Supply Chain Security

Mercor Hit by LiteLLM Supply Chain Attack

The AI recruiting firm is investigating the incident as Lapsus$ claimed the theft of 4TB of Mercor data.

Mercor hacked

AI recruiting firm Mercor has disclosed impact from the recent LiteLLM supply chain attack, after extortionists claimed the theft of 4 terabytes of data.

The LiteLLM incident occurred on March 27 and was the result of the Trivy supply chain attack that was mounted a week before.

“We believe that the compromise originated from the Trivy dependency used in our CI/CD security scanning workflow,” LiteLLM notes in its description of the incident.

Using a maintainer’s compromised credentials, the TeamPCP hacking group published two malicious LiteLLM PyPI package versions, namely 1.82.7 and 1.82.8, which were available for download for roughly 40 minutes.

LiteLLM is estimated to be present in 36% of cloud environments, and while the exposure window appears small, the malicious package versions were likely automatically downloaded by thousands, including Mercor.

“We recently identified that we were one of thousands of companies impacted by a supply chain attack involving LiteLLM,” the startup said on Wednesday.

Advertisement. Scroll to continue reading.

“Our security team moved promptly to contain and remediate the incident. We are conducting a thorough investigation supported by leading third-party forensics experts,” Mercor added.

While the company has not shared details on the impact, the Lapsus$ extortion group listed Mercor on its leak site on Monday, claiming the theft of over 4TB of data.

Lapsus$ is auctioning the information, which allegedly includes candidate profiles, personally identifiable information, employer data, user accounts and credentials, video interviews, proprietary information, source code, keys and secrets, and TailScale VPN data.

TeamPCP was recently reported to have partnered with Lapsus$ to monetize the data and access obtained as part of its broad supply chain campaign, and it is no surprise that the extortion group has listed Mercor on its leak site. However, the company has yet to confirm Lapsus$ claims.

SecurityWeek has emailed Mercor for a statement on the matter and will update this article if the company responds.

Related: Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks

Related: TeamPCP Moves From OSS to AWS Environments

Related: Axios NPM Package Breached in North Korean Supply Chain Attack

Related: Toy Giant Hasbro Hit by Cyberattack

Related Content

Artificial Intelligence

The audits are reportedly being spearheaded by CISA’s Attack Surface Evaluation team, a specialized unit tasked with conducting digital defense assessments and simulated hacking...

Supply Chain Security

The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer to developers.

Artificial Intelligence

Attack demonstrates how LLM agents can combine known exploitation techniques with real-time reasoning to automate complex, multi-stage intrusions.

Cybercrime

In April, ShinyHunters accessed the company’s corporate IT systems and stole patients’ personal and medical information.

Artificial Intelligence

As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they...

Artificial Intelligence

From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype.

Artificial Intelligence

Decades-old Bash shell tricks can bypass safeguards in most open source AI coding agents, potentially turning malicious repositories into supply chain attack vectors.

Data Breaches

Hackers accessed the insurance giant’s policyholder portal multiple times between June 15 and June 25.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version