MERCOR has disclosed that it was affected by the LiteLLM supply chain attack, with extortionists claiming the theft of more than 4TB of Mercor data. The incident occurred on March 27 and is linked to the Trivy supply chain attack, which LiteLLM notes originated from a maintainer’s compromised credentials used in Mercor’s CI/CD security scanning workflow.
Two malicious LiteLLM PyPI package versions, 1.82.7 and 1.82.8, were available for roughly 40 minutes, during which time the packages were likely downloaded by thousands of environments, including Mercor, according to LiteLLM. LiteLLM is estimated to be present in 36% of cloud environments, and Mercor says it recently identified itself as one of thousands of companies impacted by the supply chain campaign.
The Lapsus$ extortion group has listed Mercor on its leak site, claiming the data include candidate profiles, personal data and credentials, and other sensitive information, though Mercor has not publicly confirmed those claims. According to LiteLLM, the security team moved promptly to contain and remediate the incident, with investigations supported by third‑party forensics experts.