Back

Mercor AI Startup Breached in TeamPCP Supply Chain Attack via LiteLLM

Severity: High (Score: 74.0)

Sources: Technadu, Isc.Sans.Edu, Thecyberexpress, Techcrunch

Summary

Mercor, an AI recruiting startup, confirmed a data breach linked to a supply chain attack involving the compromised LiteLLM project. The breach, attributed to the hacking group TeamPCP, resulted in the exfiltration of approximately 4TB of data, including sensitive user information and source code. Initial access was gained through a compromised Tailscale VPN credential. The extortion group Lapsus$ claimed responsibility for the attack, asserting they auctioned the stolen data on the dark web. Mercor acknowledged it was 'one of thousands of companies' affected by the LiteLLM compromise. The incident raises significant privacy concerns under regulations like GDPR and CCPA. Mercor is conducting a thorough investigation and has engaged third-party forensic experts to address the breach. The LiteLLM vulnerability is suspected to have originated from a compromised dependency in its CI/CD pipeline. Organizations using LiteLLM versions v1.82.7 or v1.82.8 are advised to rotate credentials immediately. Key Points: • Mercor confirmed a breach linked to the LiteLLM supply chain attack. • Lapsus$ claims to have exfiltrated 4TB of data from Mercor. • Organizations using LiteLLM should rotate credentials to mitigate risks.

Key Entities

  • UNC1069 (apt_group)
  • Data Breach (attack_type)
  • Ransomware (attack_type)
  • Supply Chain Attack (attack_type)
  • Axios Supply Chain Attack (campaign)
  • LiteLLM Supply Chain Compromise (campaign)
  • TeamPCP Supply Chain Campaign (campaign)
  • AstraZeneca (company)
  • Mercor (company)
  • Mercor AI (company)
  • Telnyx (company)
  • AWS (company)
  • Databricks (platform)
  • OwnCloud (platform)
  • Crates.io (platform)
  • Docker Hub (platform)
  • GitHub (platform)
  • LiteLLM (tool)
  • Trivy (tool)
  • TruffleHog (tool)
  • North Korea (country)
  • Singapore (country)
  • CVE-2026-33634 (cve)
  • sans.org (domain)
  • Waveshaper (malware)
  • CanisterWorm (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1133 - External Remote Services (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed