Quick Take
| Target: | Mercor — $10 Bn AI data startup, San Francisco | Clients: Meta, OpenAI, Anthropic |
| Attack vector: | LiteLLM supply chain attack (TeamPCP) + Lapsus$ extortion group |
| Data stolen: | ~4 TB claimed | 939 GB source code | 211 GB user DB | 3 TB video interviews | 40,000 contractor records |
| Meta response: | INDEFINITELY paused all work with Mercor | Thousands of contractors unable to log hours |
| Legal: | Class action lawsuit filed April 1, 2026 — alleges inadequate cybersecurity protections |
| Others: | OpenAI investigating but not paused | Anthropic silent | Google assessing exposure |
Meta has indefinitely paused all work with AI data startup Mercor — valued at $10 billion after a $350 Mn Series C — following a major supply chain cyberattack in which hacking groups TeamPCP and Lapsus$ claim to have exfiltrated as much as 4 terabytes of data, potentially including proprietary AI training methodologies used by Meta, OpenAI, and Anthropic. Two sources confirmed the pause to WIRED, describing it as indefinite and noting that thousands of contractors dependent on Meta projects are now effectively unable to work.
StartupFeed Insight
| What this means: The AI industry has built a $100 Bn+ training data supply chain on open-source dependencies it does not fully control. Mercor is the first major breach in this space — and it may not be the last.
Who loses:
The structural problem: Multiple competing AI labs used the same third-party data vendor. A single breach now exposes all their competitive secrets simultaneously. This is the single point of failure that enterprise security teams have warned about — and the AI industry built it anyway, optimising for speed over security. |
How the Attack Happened: The LiteLLM Supply Chain Breach
The attack originated not at Mercor, but several steps upstream, in the open-source ecosystem that powers AI development. LiteLLM is a popular Python library used by developers to connect applications to AI services from OpenAI, Anthropic, Google, and others. It records 97 million monthly downloads and is present in an estimated 36% of cloud environments — making it one of the most widely used tools in the AI developer stack.
Attack Timeline
| Date / Event | What Happened |
|---|---|
| Prior to March 27 | TeamPCP conducts supply chain attack on Trivy (security scanner) to steal credentials belonging to a LiteLLM maintainer |
| March 27, 2026 | TeamPCP uses stolen credentials to publish two malicious LiteLLM versions (1.82.7 and 1.82.8) directly to PyPI, the Python package repository |
| ~40 minutes | Malicious packages available on PyPI. Payload: base64-encoded malware embedded in the library’s proxy server code — executes on import, harvesting credentials |
| March 27, 2026 | Packages identified and removed. But thousands of developers had already downloaded and executed them, including Mercor’s systems |
| March 31, 2026 | Mercor sends staff email confirming the breach: “There was a recent security incident that affected our systems along with thousands of other organizations worldwide” |
| April 1, 2026 | Lapsus$ claims responsibility for Mercor breach; publishes data samples on dark web including Slack data, internal tickets, contractor videos. Class action lawsuit filed in US District Court, N. California |
| April 2–4, 2026 | Meta indefinitely pauses all Mercor work. WIRED confirms with two sources. Lapsus$ begins auctioning alleged 4 TB of stolen data |
The payload was sophisticated. Version 1.82.7 embedded base64-encoded malware directly into LiteLLM’s proxy server code, designed to execute the moment the library was imported. Version 1.82.8 is also flagged as malicious. Security firm Snyk and Wiz analysed the attack; Datadog Security Labs confirmed its scope.
About Mercor: The $10 Billion Startup at the Centre of the Storm
| Mercor — Company Profile | |
| Founded | 2023 | Headquarters: San Francisco, California |
| Valuation | $10 Billion (as of October 2025 Series C) |
| Latest Funding | $350 Mn Series C led by Felicis Ventures (October 2025) |
| Business model | AI-powered recruiting platform connecting AI labs with global expert contractors for data annotation, model evaluation, and training data generation |
| Key clients | Meta, OpenAI, Anthropic (confirmed) | Google under assessment |
| Contractors | 40,000+ globally — experts in medicine, law, literature, STEM, and other domains |
| What was exposed | AI training methodologies, evaluation frameworks, proprietary dataset strategies of clients |
| Alleged stolen data | 939 GB platform source code | 211 GB user database | 3 TB contractor video interviews |
Mercor’s core product was elegantly simple in concept: use AI to recruit, vet, and manage global expert contractors who generate the bespoke training data that makes frontier AI models work. The company’s pitch to AI labs was that it could source specialists — neurosurgeons to evaluate medical AI, lawyers to test legal reasoning, mathematicians to verify proofs — faster and more reliably than any human recruiter could. It raised $350 Mn at a $10 Bn valuation on the strength of contracts with the three most valuable AI labs in the world.
Why This Breach Is Different: AI Training Secrets as Competitive IP
Most enterprise data breaches expose personal information, financial records, or customer data. The Mercor breach is different. What Lapsus$ claims to have accessed includes AI training methodologies — the precise approaches Meta, OpenAI, and Anthropic use to teach their models. This is not just dataset leakage. It is methodology exposure
Training methodologies that took months and hundreds of millions of dollars to develop can, in theory, be reverse-engineered from exposed vendor data. The competitive implications are severe: Chinese AI labs, in particular, could use exposed training approaches to accelerate their own model development. This is why Meta’s AI training pipeline is treated as one of the company’s most strategically sensitive assets.
The AI industry has built its most valuable intellectual property on top of an interconnected web of data vendors, open-source tools, and shared infrastructure — and that web now constitutes an attack surface that no single company fully controls.
— The Next Web, Analysis of the Mercor Breach, April 2026
How Each AI Lab Has Responded
| Company | Response | Details |
|---|---|---|
| Meta | PAUSED | Indefinitely paused all work with Mercor. No public statement. Thousands of contractors unable to log hours. |
| OpenAI | Investigating | Investigating how proprietary training data may have been exposed. Has not paused Mercor projects. |
| Anthropic | Silent | Has not publicly commented on its exposure. Understood to be assessing the breach’s scope. |
| Assessing | Understood to be evaluating potential exposure. No public statement. | |
| Mercor | Confirmed | Confirmed breach in staff email (March 31). Third-party forensics investigation underway. Spokesperson Heidi Hagberg says company “moved promptly” to contain the incident. |
The Structural Problem: One Vendor, All Competitors’ Secrets
The Mercor breach reveals a structural vulnerability that the AI industry has largely ignored in its race to scale. Most major AI labs use 10 to 15 data vendors in various capacities — from annotation services to synthetic data generation. When multiple competitors rely on the same third-party supplier, a single breach can expose all of their competitive secrets simultaneously.
This is not a theoretical risk anymore. Scale AI, Appen, Remotasks, and a handful of other data vendors operate in the same space as Mercor. They all share a similar architecture: global contractor networks managed through web platforms, deeply integrated into AI labs’ training pipelines, often relying on the same open-source Python libraries. Every one of them now faces the same question Meta asked about Mercor: what do we know about their security posture, and is our IP safe?
Relevance for Indian Startups and IT Firms
Indian data annotation and AI services firms are directly in the crosshairs: Companies like iMerit, Karya, and dozens of smaller data labelling firms compete in the same market as Mercor. The breach creates both a risk (clients will now demand enterprise-grade security audits) and an opportunity (firms that can demonstrate strong security posture will differentiate).
Indian IT services companies face new vendor security scrutiny: TCS, Infosys, Wipro, and HCL all run AI model evaluation and data annotation practices for global clients. Any Indian IT firm involved in AI training data supply chains will face enhanced due diligence requirements in the wake of the Mercor breach.
Open-source dependency risk is now a mainstream boardroom concern: Indian SaaS companies and startups that build on PyPI packages and open-source AI libraries face the same supply chain attack vector that hit Mercor. The LiteLLM attack — 40 minutes on PyPI before removal — is a wake-up call for any team using third-party Python packages in production AI systems.
What’s Next
- The class action lawsuit filed April 1, 2026 (plaintiff: Lisa Gill, US District Court, Northern California) alleges Mercor failed to maintain adequate cybersecurity protections, exposing 40,000+ people to identity theft and fraud
- Lapsus$ is actively auctioning allegedly stolen Mercor data on dark web forums, including 939 GB of source code and 211 GB user database — the auction outcome will determine how widely the data spreads
- Multiple AI labs are expected to conduct comprehensive vendor security audits across their entire data supply chain in the coming weeks
- The EU AI Act’s supply chain transparency requirements, entering phased implementation in 2026, will accelerate mandatory vendor security documentation for AI systems
- Mercor’s $10 Bn valuation faces a critical test: the company’s entire business model depends on trust from clients and contractors — both of which the breach has damaged
- PyPI and the Python open-source ecosystem are under pressure to implement stronger code signing, dependency verification, and malicious package detection capabilities
