Meta Halts Mercor Work After LiteLLM Supply-Chain Breach Exposes Candidate Data
Meta paused work with AI hiring startup Mercor after Mercor disclosed a breach tied to the malicious LiteLLM packages 1.82.7 and 1.82.8, which were published to PyPI after attackers stole the project’s publishing token through a compromised CI/CD chain involving Trivy tooling. Security reporting said the tainted packages harvested credentials and deployed a multi-stage backdoor capable of stealing API keys, cloud credentials, SSH keys, Kubernetes tokens, CI/CD secrets, database passwords, and other sensitive data, leading responders to treat affected environments as fully compromised.
Mercor said the incident exposed source code and candidate information, while reports citing the attackers said as much as 4TB of data was taken, including candidate profiles, personally identifiable information, employer data, and API keys, with one claim alleging access via Tailscale VPN. The fallout spread quickly across Mercor’s customers and partners: Meta reportedly froze contracts indefinitely while investigating whether AI training data or related secrets were at risk, OpenAI reviewed its own exposure while keeping contracts in place, and the breach triggered lawsuits and broader scrutiny of software supply-chain risk across the AI ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Contractors file lawsuits over Mercor data exposure
By April 9, multiple contractors had filed lawsuits alleging their personal data was exposed in the Mercor breach. The legal actions represented an escalation of the incident's fallout beyond technical and customer impacts.
OpenAI investigates exposure while keeping Mercor contracts
Reporting said OpenAI began investigating whether it was affected by Mercor's breach but continued its contracts with the company for the time being. This reflected widening concern among Mercor's major customers after the disclosure.
Meta pauses work with Mercor after breach
Meta froze or paused its work with Mercor while investigating the fallout from the startup's breach and the potential risk to AI training-related data and secrets. Multiple outlets reported the pause as a direct business consequence of the incident.
Mercor confirms 4TB exposure of candidate data and source code
Mercor confirmed a breach resulting from the LiteLLM supply-chain attack, with reporting stating that 4TB of candidate data and source code were exposed. This marked a more concrete public acknowledgment of the scale of the incident.
Mercor discloses breach tied to LiteLLM supply-chain compromise
Mercor disclosed on March 31 that it suffered a data breach that it attributed to the compromised open source tool LiteLLM. The company said the incident exposed candidate data and triggered an internal response and investigation.
LAPSUS$ claims breach of Mercor and theft of 4TB of data
A threat actor identified in reporting as LAPSUS$ claimed it had breached AI hiring startup Mercor via Tailscale VPN access and stolen 4TB of data. The claimed haul included candidate and company information, though the claim was not yet independently confirmed at that stage.
Researchers warn LiteLLM compromise may expose downstream AI ecosystems
Security reporting described the LiteLLM incident as a critical supply-chain attack with transitive impact across major AI frameworks and tools. Defenders were urged to treat affected systems as fully compromised and rotate credentials, and reporting linked the broader campaign to TeamPCP.
Malicious LiteLLM packages published to PyPI
Attackers published malicious LiteLLM versions 1.82.7 and 1.82.8 to PyPI after stealing the project's publishing token through a compromised CI/CD supply chain involving Trivy tooling. The packages harvested credentials and deployed a multi-stage backdoor affecting AI developers and downstream users.
Trivy compromise leads to malicious code in LiteLLM
Reporting said LiteLLM was infected with credential-stealing code through a compromise involving Trivy in the CI/CD supply chain. The incident represented the upstream intrusion that enabled the later publication of malicious LiteLLM packages to PyPI.
Sources
7 references tracked. Mallory keeps watching after this page renders.
After data breach, $10B-valued startup Mercor is having a month | TechCrunch
techcrunch.com
Open sourceMeta Pauses Work With Mercor After LiteLLM-Linked Data Breach - TechRepublic
techrepublic.com
Open sourceMeta freezes AI data work after breach puts training secrets at risk
thenextweb.com
Open sourceMeta Pauses Work With Mercor, Investigating Data Breach at AI Startup - Business Insider
businessinsider.com
Open sourceMercor confirms breach in LiteLLM supply-chain attack, exposing 4TB of candidate data and source code - Tech Startups
techstartups.com
Open sourceCritical supply chain attack hits LiteLLM, exposing AI developers | Cybernews
cybernews.com
Open sourceLiteLLM infected with credential-stealing code via Trivy
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Meta Halts Mercor Work After Breach Exposes Sensitive AI Training Data
Meta has indefinitely paused work with data contractor Mercor after a major breach at the startup raised concerns that proprietary human-generated training datasets used by leading AI companies may have been exposed. Mercor supplies training data to firms including **OpenAI** and **Anthropic**, and the incident has prompted other AI labs to reevaluate their ties to the company. Mercor confirmed the attack internally on March 31 and said it was linked to a broader incident affecting multiple organizations. The breach is considered especially sensitive because exposed datasets could reveal details about AI model training pipelines and other competitive information. OpenAI said it is investigating whether its proprietary training data was affected, while adding that no OpenAI user data was exposed. Reporting tied the intrusion to compromised versions of the `LiteLLM` AI API tool, with researchers attributing the activity to **TeamPCP** rather than a threat actor simply using the **Lapsus$** name; the disruption also reportedly affected contractor work on Meta-related projects, including **Chordus**.
May 7, 2026
Mercor Breach Traced to Malicious LiteLLM Packages in Supply-Chain Attack
AI recruiting firm **Mercor** confirmed a security incident after attackers leveraged the **LiteLLM** supply-chain compromise to gain access to its environment. Reports said unauthorized publishes to the project's **PyPI** packages introduced credential-stealing malware designed to harvest API keys, cloud secrets, and tokens from organizations using the open-source LLM gateway. Mercor said it was among thousands of organizations affected, contained and remediated the issue, and brought in external forensic experts as the investigation continued; LiteLLM separately said it was investigating the malicious package activity and released a clean version of the software. Security reporting identified Mercor as the first publicly confirmed downstream victim of the campaign, with stolen credentials allegedly used for lateral movement inside internal infrastructure and the exfiltration of roughly **4 TB** of data. The reportedly stolen data included source code, internal databases, and cloud-stored operational material such as videos and verification workflows. Researchers linked the incident to a broader wave of poisoned developer-tool compromises, including **Trivy** and **KICS**, and warned that related attacks may have impacted more than **1,000 SaaS environments** and potentially hundreds of thousands of machines; separate claims by **Lapsus$** and reporting tying the operation to **TeamPCP** remained unresolved in the cited coverage.
Apr 3, 2026
Meta Suspends Internal AI Training Program After Employee Data Exposure
Meta halted its internal **Model Capability Initiative (MCI)** after a permissions misconfiguration exposed sensitive employee-monitoring data to the company’s broader workforce. The program, launched in April for U.S.-based employees, collected detailed telemetry including mouse movements, clicks, keystrokes, and occasional screenshots to train internal AI and machine-learning systems. Reuters-reported documents indicated the exposed data included private conversations, AI prompts and request transcripts, and other records gathered from internal systems. Internal concerns had reportedly been raised earlier about both the intrusiveness of the monitoring and data-storage weaknesses, with a later security alert finding confidential information accessible in cleartext to Meta employees. The exposed material reportedly included named HR performance data and documents classified under DSS sensitivity levels 1 through 4. Meta said it has found no evidence of improper employee access or malicious exploitation, but it suspended the program while investigating and has not said when, or in what form, it may resume.
Jun 25, 2026