Mercor Hit by LiteLLM Supply Chain Attack, Lapsus$ Claims Data Theft

Mercor, an AI-powered recruiting startup, confirmed it was compromised in a supply chain attack targeting LiteLLM, a widely used open-source library for interacting with large language model APIs, TechCrunch reported Monday. The hacker group Lapsus$ claimed credit for the intrusion, alleging it accessed and stole data belonging to Mercor following the LiteLLM compromise. Mercor acknowledged the security incident and confirmed it was affected by the attack, though the company has not disclosed the full scope of data that may have been exposed. LiteLLM is used by thousands of developers and companies to route requests to AI models from providers including OpenAI, Anthropic, Google, and others. A compromise of such a library represents a classic supply chain attack: rather than targeting companies directly, attackers infiltrate a shared dependency and use it as a stepping stone into downstream systems. Lapsus$ is a loosely organized extortion group with a history of high-profile breaches, including incidents at Microsoft, Nvidia, Samsung, and Okta. The group typically publishes stolen data to pressure victims into paying ransoms. Mercor processes sensitive information as part of its recruiting platform, including candidate resumes, employer data, and interview materials. The nature of the data potentially exposed in the LiteLLM-linked breach has not been fully disclosed. The attack adds to a growing list of supply chain compromises affecting the AI developer tooling ecosystem. Earlier this week, Cisco disclosed that attackers used credentials stolen from a separate supply chain attack on the Trivy security scanner to breach its internal development environment. TechCrunch reported the Mercor breach on March 31, 2026.