Mercor, a startup that provides training data to major AI companies, confirmed that it was the victim of a security breach that may have exposed sensitive company and user data.
The incident was linked to a supply-chain attack involving LiteLLM, a widely used open-source library for connecting applications to AI services.
The company confirmed to Fortune it was “one of thousands of companies” affected by the supply-chain attack on LiteLLM, which has been linked to a hacking group called TeamPCP. Mercor spokesperson Heidi Hagberg said that the company had “moved promptly” to contain and remediate the incident and said a third-party forensics investigation was underway.
“The privacy and security of our customers and contractors is foundational to everything we do at Mercor,” Hagberg said. “We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”
TeamPCP is known for engineering so-called supply-chain attacks, in which malware is planted inside codebases or software libraries that are widely used by programmers when writing their own code. Lapsus$, by contrast, is an older hacking group, known for social engineering and phishing attacks that focus on stealing user log-in credentials and then using those credentials to gain access to and steal sensitive data.
In 2023, an attack from the Cl0p ransomware gang that exploited a vulnerability in MOVEit, a widely used file transfer tool, breached hundreds of organizations simultaneously, ultimately affecting nearly 100 million individuals across government agencies, financial institutions, and health care providers. Extortion attempts from that campaign dragged on for months.
