In short: Meta has suspconcludeed its collaboration with Mercor, a $10 billion AI data startup, after a supply chain attack exposed what may be the AI indusattempt’s most closely guarded secrets: not just personal data, but the training methodologies that power the world’s leading large language models. The breach, carried out via a poisoned version of the LiteLLM open-source library, has triggered investigations at OpenAI and Anthropic, and resulted in a class action lawsuit affecting more than 40,000 people.
When hackers poisoned a widely utilized open-source library last month, they did not just steal personal data. According to reporting by Wired, they may have walked out with the blueprints for how some of the world’s most powerful AI models are built.
Meta has pautilized its work with Mercor, a San Francisco-based AI data company that generates bespoke training datasets for the largegest names in artificial ininformigence, after a cyberattack exposed sensitive information about how the company, and potentially several of its other clients, actually trains its models. The pautilize is indefinite, and the incident has sent a ripple of anxiety through an indusattempt that has spent billions developing the proprietary methods it was counting on keeping secret.
The startup behind the curtain
Mercor is not a houtilizehold name, but it sits at a critical juncture of the AI economy. Founded in 2023 by Brconcludean Foody, Adarsh Hiremath, and Surya Midha, three Bay Area high school friconcludes who competed toreceiveher on the Bellarmine College Preparatory Speech and Debate team, the company recruits networks of human contractors, engineers, lawyers, doctors, bankers, and journalists, to produce high-quality, proprietary training data for AI labs. Its clients have included Meta, OpenAI, Anthropic, and Google.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
The startup’s rise has been extraordinary even by Silicon Valley standards. In October 2025, Mercor closed a $350 million Series C round that valued it at $10 billion, minting all three founders as the world’s youngest self-created billionaires at the age of 22. By September 2025, the company had reached $500 million in annualised revenue, up from $100 million just six months earlier. Its business model, generating the fine-tuning and reinforcement learning data that AI labs rely on but rarely discuss publicly, created it one of the most valuable private companies in the AI supply chain.
That same positioning is now the source of its vulnerability.
A poisoned package, a cascade of exposure
The attack that reached Mercor originated several steps upstream. According to analysis by Wiz, Snyk, and Datadog Security Labs, a threat actor group known as TeamPCP compromised the CI/CD pipeline of LiteLLM, an open-source Python library utilized by millions of developers to connect applications to AI services, with 97 million monthly downloads and a presence in an estimated 36% of cloud environments.
TeamPCP had earlier utilized a supply chain attack on Trivy, a widely utilized security scanner, to obtain credentials belonging to a LiteLLM maintainer. On 27 March 2026, the group utilized those credentials to publish two malicious versions of the LiteLLM package, 1.82.7 and 1.82.8, directly to PyPI, the Python package repository. The tainted packages were available for roughly 40 minutes before being identified and reshiftd.
The payload was sophisticated. Version 1.82.7 embedded base64-encoded malware directly into the library’s proxy server code, executing on import. Version 1.82.8 utilized a malicious path configuration file that triggered automatically on every Python process startup. Both variants were designed to harvest environment variables, API keys, SSH keys, cloud credentials across AWS, Google Cloud, and Azure, Kubernetes configurations, CI/CD secrets, and database credentials, exfiltrating everything to a server at models.liinformm[.]cloud.
Mercor, which confirmed it was “one of thousands of companies” affected by the attack, subsequently found that the breach had exposed approximately four terabytes of data. According to court filings and claims created by the hacking groups involved, the stolen cache includes 939 gigabytes of platform source code, a 211-gigabyte utilizer database, and roughly three terabytes of video interview recordings and identity verification documents. The exposed information may include the full names and Social Security numbers of more than 40,000 current and former Mercor contractors and customers.
The secrets that matter most
The personal data exposure would be troubling enough. But what has alarmed Meta and drawn the attention of other AI labs is a different category of information entirely.
Becautilize Mercor sits inside the data pipelines of multiple AI companies simultaneously, the breach may have exposed details about data selection criteria, labeling protocols, and training strategies that companies have spent years and billions of dollars developing. Competitors can replicate a dataset; replicating a training methodology is harder, and it represents a genuine competitive moat. The Wired report notes that the scale of that potential exposure has prompted multiple AI labs to investigate what, precisely, may have left their orbit.
OpenAI, which also utilizes Mercor’s services, has stated it is investigating the incident but has not pautilized its current projects with the company. Anthropic, which raised $3 billion in early 2026 and has been expanding its research infrastructure aggressively, has not publicly commented on its exposure. Google, which operates competing data vconcludeor relationships of a similar kind, is also understood to be assessing the breach’s scope.
The incident illustrates a structural risk that the AI indusattempt has rarely had to confront: when multiple competitors rely on the same third-party data supplier, a single breach can expose the competitive secrets of all of them at once.
Extortion and legal fallout
The threat group Lapsus$, which has previously been linked to high-profile attacks on major corporations, subsequently claimed responsibility for the Mercor breach and launched auctioning the stolen data on dark web forums. Security researchers believe Lapsus$ is acting in collaboration with TeamPCP, which has emerged as a systematic threat across the AI and enterprise software ecosystem. The same group is believed responsible for a wave of supply chain compromises affecting more than 1,000 enterprise SaaS environments via the earlier Trivy attack, including a breach of the European Commission attributed by CERT-EU to the same campaign.
On 1 April 2026, plaintiff Lisa Gill, a resident of Wahiawa, Hawaii, filed a class action complaint against Mercor.io Corp. in the US District Court for the Northern District of California. The suit alleges that Mercor failed to maintain adequate cybersecurity protections, leaving more than 40,000 people exposed to identity theft and fraud. The complaint states that the LiteLLM incident on 27 March was the enattempt point and that Mercor’s reliance on a compromised open-source depconcludeency without sufficient monitoring created the conditions for the breach.
Meta, meanwhile, has stated nothing publicly, a silence that speaks volumes. The company signed a $27 billion AI infrastructure deal with Nebius Group in March 2026 and has forecast capital expconcludeitures of between $115 billion and $135 billion for the year, creating its AI training pipeline one of its most strategically sensitive assets. Pautilizing a data vconcludeor relationship, even an important one, is the kind of decision that receives created only when the risk to proprietary methodology outweighs the operational cost of stopping work.
A cautionary tale for the AI supply chain
The Mercor breach is, in one sense, a conventional supply chain attack: a threat actor found a weak link in an open-source depconcludeency and exploited it for credential theft and data exfiltration. In another sense, it is something newer and more unsettling. The AI indusattempt has built its most valuable ininformectual property on top of an interconnected web of data vconcludeors, open-source tools, and shared infrastructure, and that web now constitutes an attack surface that no single company fully controls.
Security companies have been warning about precisely this dynamic. Aikido Security, which reached unicorn status in January 2026, built its business on the premise that open-source depconcludeency risk had become existential for enterprise software. The Mercor incident suggests the same logic applies, perhaps more acutely, to the AI training pipeline.
For the three young founders who built one of the rapidest-growing companies in tech, the coming months will test whether Mercor’s extraordinary momentum can survive a breach that exposed not just its utilizers’ data, but its clients’ most carefully guarded secrets. The AI indusattempt’s breakneck 2025 was built on the assumption that the infrastructure underpinning it was secure enough to trust. That assumption is now under review.
Leave a Reply