Mercor Cyberattack Linked to LiteLLM Supply Chain Compromise

Mercor Cyberattack Linked to LiteLLM Supply Chain Compromise

First seen 1 Apr 2026, 09:00 UTC TechcrunchTechnaduThecyberexpressIsc.Sans.EduScworld+21 83% similarity 71.0

Article Content

Browse articles
ThreatCluster

AI recruiting startup Mercor confirmed it was impacted by a supply chain attack linked to the LiteLLM project, which has affected thousands of organizations. The breach was attributed to the hacking group TeamPCP, with extortion group Lapsus$ claiming to have stolen approximately 4TB of data, including 939GB of source code and sensitive user information. Initial access was reportedly gained through a compromised Tailscale VPN credential. The incident highlights the risks associated with open-source software dependencies, as LiteLLM is widely used across the AI ecosystem. Mercor has initiated a thorough investigation with third-party forensics experts to assess the full extent of the breach. The attack raises significant privacy and regulatory concerns under GDPR and CCPA due to the nature of the exfiltrated data. As investigations continue, the implications for affected organizations remain serious.

Key Points: • Mercor confirmed a breach linked to the LiteLLM supply chain attack affecting thousands. • Lapsus$ claimed to have stolen 4TB of data, including source code and user databases. • The breach originated from compromised Tailscale VPN credentials exploited by TeamPCP.

ThreatCluster AI

Timeline

2026-03-23
CVE-2026-33634 published
2026-03-25
First public PoC for CVE-2026-33634
2026-03-26
CVE-2026-33634 added to CISA KEV for active exploitation
2026-03-30
Mercor breach linked to LiteLLM compromise reported
2026-04-01
Mercor publicly confirms data breach and investigation ongoing
2026-04-02
Lapsus$ claims responsibility for the Mercor data breach

Community

Browse all →