How Mercor Lost 4TB of Biometrics, Then Waited 3 Months
A 40-minute open-source hack detonated inside a $10B AI recruiting startup, and contractors only found out this summer.
Mercor’s supply chain nightmare started on March 27 with a poisoned Python package that was live for less than an hour. It ended in June with Meta pulling contracts indefinitely, Lapsus$ auctioning passport scans, and roughly 40,000 experts receiving a “your data was downloaded” email from a subdomain most of them had never seen. Here’s the full timeline, what the hackers actually got, why the three-month gap between the initial disclosure and mass notification matters legally, and what this breach reveals about how fragile the AI stack of 2026 has quietly become.
On March 27, 2026, two versions of an open-source Python library called LiteLLM went live on the PyPI package registry for roughly forty minutes before anyone noticed they were poisoned. Versions 1.82.7 and 1.82.8 contained credential-harvesting malware. During those forty minutes, developers around the world ran their usual dependency updates, and one of them worked inside Mercor, the AI recruiting startup that had been valued at $10 billion just five months earlier.
Between March 24 and March 30, the attackers moved through Mercor’s systems. On March 31, Mercor published a short statement acknowledging it was “one of thousands of companies impacted.” Days later, the Lapsus$ extortion group listed Mercor on its dark-web leak site, claiming to hold roughly 4 terabytes of stolen data, including candidate profiles, source code, API keys, TailScale VPN records, and full video interview archives.
Meta paused its Mercor contracts within days. Five contractors sued. And then, for about three months, individual experts on Mercor’s platform heard almost nothing about whether their passport scans, Social Security numbers, and facial biometrics had actually been taken. The notification wave finally arrived in early July.
4TB reportedly stolen via LiteLLM
Lapsus$ listed Mercor on its leak site claiming 4TB of candidate profiles, PII, source code, API keys, VPN data, and interview recordings.
March 31 filing, July notices
Mercor confirmed a “supply chain incident” on March 31. Individual contractor breach notifications did not go out at scale until roughly three months later.
Passport scans and SSNs on the list
Independent reports and lawsuit filings cite passport scans, Social Security numbers, facial biometrics, and video interview recordings among the exfiltrated data.
Meta pulled contracts, five suits filed
Meta paused its Mercor contracts indefinitely. Five contractors have filed suit. One complaint names LiteLLM and compliance startup Delve as co-defendants.
The 40-minute LiteLLM window
The entry pointOn March 27, 2026, a threat group known as TeamPCP used compromised maintainer credentials to publish two malicious LiteLLM versions to PyPI: 1.82.7 and 1.82.8. The packages were live for roughly forty minutes before being pulled. That is not an unusually long window by open-source standards, but LiteLLM is not an unusually small package. According to Wiz Research, LiteLLM is present in roughly 36% of cloud environments, and Cybernews puts its monthly download volume near 97 million.
The malicious versions were designed to exfiltrate credentials from any system that installed them. LiteLLM’s own postmortem traces the root cause one step further back, to a separate compromise of a scanning tool called Trivy that had exposed sensitive tokens used in the LiteLLM CI/CD workflow. In other words: the poisoning of LiteLLM was itself the downstream result of a supply chain attack on the supply chain of LiteLLM.
The pattern will feel familiar to anyone who tracked log4j in December 2021. A single piece of shared infrastructure, so common it stops registering as a third-party dependency at all, becomes the highest-leverage target on the internet for a short window. LiteLLM in 2026 sits in the same category as log4j did then. It is glue code that connects application layers to LLM providers, and once it is installed, it sits deep inside CI/CD and runtime environments where credentials and tokens live. A poisoned version can silently pull whatever the surrounding process can reach.
Lapsus$ lists Mercor for auction
The public escalationWithin days of Mercor’s short March 31 disclosure, the Lapsus$ extortion group added Mercor to its dark-web leak site and claimed to hold approximately 4 terabytes of internal data. The listing detailed candidate profiles, personally identifiable information, employer data, user accounts and credentials, video interviews, proprietary information, source code, API keys and secrets, and TailScale VPN records.
SecurityWeek reported that TeamPCP, the group behind the LiteLLM compromise, is believed to have partnered with Lapsus$ to monetize the access. This is a meaningful pattern change. Historically, Lapsus$ was best known for the 2022 attacks on Okta, Microsoft, Nvidia, and Samsung. TeamPCP has been more focused on open-source and cloud infrastructure. A collaboration between an infrastructure-focused compromise group and an established extortion brand is exactly the kind of vertical integration that made ShinyHunters’ Salesforce campaign so damaging and Cl0p’s MOVEit campaign so lucrative.
Mercor has neither confirmed nor denied the authenticity of the 4TB figure. Independent reporting from AllAboutCookies and Business Insider indicates roughly 40,000 contractors received breach notifications, a scale that is inconsistent with the “very limited subset” framing used in Mercor’s early public messaging. Whether the auction actually cleared, and to whom, is not publicly known. What is publicly known is that samples were posted to establish credibility, and those samples matched categories subsequently confirmed in the contractor notification emails.
Meta pauses contracts indefinitely
The customer falloutSources told Wired in early April that Meta had paused its Mercor contracts indefinitely. Mercor declined to comment. That decision matters more than it looks: Meta spent $14.3 billion on Mercor’s competitor Scale AI and still continued working with Mercor, because Mercor’s specialty is not raw labeling volume but access to domain experts, doctors, lawyers, and PhDs used to train reasoning-heavy models for OpenAI, Anthropic, Google, and Meta itself.
For a company reportedly on pace to hit over $1 billion in annualized revenue earlier in the year, per The Information, losing an anchor customer is a real revenue event, not a headline event. And Meta was almost certainly not alone in reviewing its exposure. Lab customers with SEC disclosure obligations, Microsoft, Google’s Alphabet, and Meta itself, had to privately determine whether evaluator metadata, rubrics, or program correspondence in Mercor’s environment qualifies as material under the SEC’s 2023 cybersecurity disclosure rules.
Mercor’s business model is what makes the Meta pause so consequential. The company was founded in 2023 by Brendan Foody, Adarsh Hiremath, and Surya Midha, all in their early twenties, and raised its $350 million Series C in October 2025 at a $10 billion valuation, led by Felicis Ventures. The pitch is that as frontier labs shifted from broad labeling to specialized reasoning training, they needed vetted domain experts on lab timelines, not gig-economy volume. Mercor operates a platform of roughly five million registered experts and moves them through video interviews, background checks, and NDA workflows before assigning them to lab projects. The vetting stack is exactly what got exfiltrated.
The Delve and Y Combinator fallout
The compliance angleOne of the five contractor lawsuits reviewed by TechCrunch named LiteLLM and Delve, an AI compliance startup, as co-defendants. The connection is that LiteLLM had used Delve to obtain its security certifications. Around the same time, an anonymous whistleblower accused Delve of allegedly faking data for those certifications and using rubber-stamping auditors. Delve denied the allegations while instituting operational changes, but by early April the reputational damage had begun. Y Combinator cut ties with Delve.
LiteLLM dropped Delve and moved to a different compliance partner. Mercor itself was not a Delve customer, the company confirmed to TechCrunch. But the sequence still lands somewhere uncomfortable for the industry: a widely used open-source AI library was certified through a compliance vendor now accused of rubber-stamping, and that library was then used to attack a startup valued at $10 billion. That is not a story about Delve alone. It is a story about a specific segment of the “AI compliance” market that grew fast in 2024 and 2025 by offering rapid SOC 2, ISO 27001, and HIPAA attestations to AI startups facing enterprise procurement questions for the first time.
The theory tested by the contractor lawsuit is that a compliance vendor that allegedly rubber-stamps controls contributes to downstream harm when those controls fail. Whether that theory survives a motion to dismiss will matter for the whole category. If it does, expect due diligence on compliance vendors themselves to become part of enterprise procurement checklists in a way it currently is not.
The 3-month silence to individual contractors
The trust costMercor’s March 31 statement acknowledged the LiteLLM incident. Its June 26 blog post announced that the third-party forensic investigation, assisted by Google’s Mandiant and security firm Latacora, was complete. In between, according to AllAboutCookies’ review of notification emails, most affected contractors did not receive individualized breach notices confirming their data had been touched. The notification emails, sent from mercor@notifications.cyberscout.com, arrived at scale roughly three months after the initial exposure window.
For the ~40,000 contractors reportedly notified, that gap has a real cost. During those three months, they could not place fraud alerts, could not freeze credit with specificity, and could not know whether the phishing attempts hitting their inbox were tied to Mercor or ambient noise. The company’s stated position, that most of the data affected was “contact information,” is inconsistent with the passport scans, SSNs, facial biometrics, and video interview recordings cited in independent reporting and in the five contractor lawsuits filed since April.
There is also a regulatory dimension. California’s CCPA, Illinois’ Personal Information Protection Act, New York’s SHIELD Act, and Texas’ identity theft statutes all trigger notification obligations when SSNs are involved. The specific timing rules vary, but “as soon as reasonably possible” is the general standard, and a three-month gap between confirmed exposure and mass notification will invite scrutiny. Affected EU-based contractors have GDPR data-subject rights that force Mercor to disclose precisely what categories of personal data were exfiltrated, on request, within one month. Those DSAR requests are already being filed.
A 40-minute open-source hack, a
$10 billion startup, and 3 months of
silence between them.
The deeper story behind the Mercor breach is structural. The AI stack of 2026 is composed of a small number of widely shared open-source primitives: LiteLLM, LangChain, Triton, vLLM, Ray, Helm. These libraries have moved from “interesting tools” to “load-bearing infrastructure” without the corresponding investment in dependency hygiene, package signing, cryptographic attestation, and incident response.
Security researchers have been tracking this migration for years. The chokepoints keep moving: operating systems in the early-2000s patch worms, OS-level package managers in the 2010s npm and PyPI incidents, CI/CD systems in the Codecov era, identity and SaaS in the Okta and MOVEit years, and now AI-specific middleware. LiteLLM is to the LLM stack what log4j was to Java logging in 2021, a piece of plumbing so common it stopped being treated as a third-party dependency at all.
Each successive incident has shortened the window between dependency compromise and downstream impact. In log4j’s case, exploitation took days to weeks. In LiteLLM’s case, forty minutes of tainted-package availability was enough to reach a $10 billion startup’s video interview archive. The direction of travel is compressing, not stretching.
The fix, to the extent one exists, involves things that are neither novel nor exciting: signed packages with hardware-backed maintainer keys, reproducible builds, mandatory attestation for high-privilege dependencies, and internal review of every net-new import into production. None of these things are secrets. They are just underinvested. Mercor’s breach did not happen because the industry lacked the technology to prevent it. It happened because a small number of shared primitives grew load-bearing faster than the ecosystem around them grew defensive, and one poisoned package on one Friday in March landed in the wrong CI/CD workflow.
- State AG action. California, New York, Texas, and Illinois have aggressive breach-notification statutes that trigger on SSN exposure. Delayed notice is the kind of fact pattern AGs pursue.
- Class action consolidation. Five contractor suits have already been filed. Expect motions to consolidate, and expect the LiteLLM and Delve theories to be tested in discovery.
- Meta contract status. Whether Meta resumes Mercor contracts, and on what terms, is the clearest signal of how lab customers are pricing Mercor’s security posture now.
- FTC Section 5 scrutiny. Open-source dependency hygiene is now on the FTC’s list of “reasonable security” expectations. A Mercor case would establish precedent.
- LiteLLM’s ongoing security posture. LiteLLM’s second-choice compliance vendor and its Trivy-related remediation are the tell for whether the ecosystem is actually changing.
⚠️ Four things to keep in mind reading Mercor’s disclosures
1. “Contact information” is a very small word for what was on the leak site. Reports and lawsuit filings describe passport scans, SSNs, facial biometrics, and video interviews. Mercor’s public language has been narrower than the independent reporting, and the notification emails sent to contractors describe categories that go beyond simple contact data.
2. “Thousands of companies were affected” is true and not exonerating. LiteLLM’s 36% cloud-environment footprint means many companies pulled the tainted package. What differentiates Mercor is not that it was hit. It is what Mercor stored (biometrics, government IDs, video), how long attackers had, and how long it took to tell affected people.
3. Certifications do not stop supply chain attacks. LiteLLM was certified through Delve. Delve was accused of rubber-stamping. Certifications are a documentation artifact, not a defensive control. If enterprise procurement is treating them as controls, that is the actual security gap.
4. Attribution is provisional. Reporting attributes the LiteLLM compromise to TeamPCP and the 4TB auction to Lapsus$, with a claimed partnership between them. Threat-actor attribution based on leak-site branding is soft evidence. What is firm is the timeline, the data categories, and the notification gap.