In a post on X and in comments to TechCrunch, Mercor has revealed it was “one of thousands of companies” affected by the recent LiteLLM supply chain attack and that it had “moved promptly” to contain and remediate the security incident.
Response and remediation
Mercor, an AI hiring company, said it was conducting a forensic investigation with third-party experts and would continue communicating directly with customers and contractors as appropriate.
Upstream origins: The Trivy link
The incident began upstream in LiteLLM’s release pipeline. LiteLLM said two unauthorized PyPI releases, litellm==1.82.7 and litellm==1.82.8, were published on March 24 after a maintainer account was compromised.
The company said the attack likely originated from the Trivy dependency used in its CI/CD security scanning workflow, while its GitHub incident thread said the malicious versions were uploaded directly to PyPI and were never released through the project’s official GitHub CI/CD process.
LiteLLM also said customers using its official Proxy Docker image were not affected because that deployment path pins dependencies and does not rely on the compromised PyPI packages.
Aqua Security’s advisory on the earlier Trivy incident said compromised credentials were used on March 19 to publish a malicious Trivy release and tamper with Trivy-related GitHub Actions, supporting LiteLLM’s later statement that the compromise likely originated from the Trivy dependency in its CI/CD security scanning workflow.
LiteLLM and independent security researchers said the two malicious releases used different execution paths. LiteLLM said version 1.82.7 carried a malicious payload in proxy_server.py, while version 1.82.8 added a litellm_init.pth file that gave the same payload a broader execution path.
Datadog said that the .pth file made 1.82.8 the higher-risk case because executable lines in .pth files run during Python interpreter startup, meaning the payload could launch as soon as Python started in an affected environment.
The payload: Credential exfiltration
LiteLLM said the malware was designed to scan for environment variables, SSH keys, cloud provider credentials, Kubernetes tokens and database passwords, then exfiltrate the collected data.
That matters because LiteLLM sits in a central part of the AI application stack. Its documentation describes it as an open-source library and gateway that provides a unified interface for 100+ LLMs, and PyPI Stats shows the package is downloaded millions of times per day and nearly 95 million times per month.
Mercor says it connects people with leading AI labs and enterprises to provide human expertise essential to AI development.
Data exposure risks and Lapsus$ claims
Mercor’s own documentation also helps explain why the incident carries weight even before the company confirms what, if anything, was taken. Its help center says project tooling can include Slack, Airtable and Notion, while a separate access document says Okta is used to manage access to internal work tools including Slack.
Mercor’s AI interview documentation says interview recordings and transcripts are stored internally for evaluation purposes, while its privacy policy says the company collects resumes, work history, interview recordings, transcriptions, images from interviews and account credentials.
While there is no confirmation these specific data points were compromised, Mercor’s privacy policy outlines the collection of resumes, interview recordings, and credentials.
Separately, TechCrunch reported that Lapsus$ claimed on its leak site to have Mercor data and shared sample material that referenced Slack data and what appeared to be ticketing data, along with two videos purportedly showing conversations between Mercor’s AI systems and contractors.
Mercor spokesperson Heidi Hagberg told TechCrunch the company was investigating, but declined to say whether the incident was connected to the Lapsus$ claims or whether any customer or contractor data had been accessed, exfiltrated or misused.
Unresolved scope and systematic campaign
The Mercor disclosure also sits within a wider campaign rather than a one-off package compromise.
Datadog said the operation moved from the March 19 Trivy compromise into LiteLLM on March 24 and Telnyx on March 27, while Aqua’s advisory shows the initial Trivy breach touched release tags, GitHub Actions and container distribution channels.
What remains unresolved is scope. LiteLLM said it had released a clean version, v1.83.0, through a new CI/CD pipeline, and Mercor said it would keep communicating with customers and contractors as its investigation continued.
But Mercor has not confirmed whether any data was exfiltrated from its environment, and TechCrunch reported that the full scope of downstream impact remained unclear as investigations continued.