Mercor disclosed a cybersecurity breach tied to a compromised LiteLLM library, signaling a supply-chain attack that could affect multiple partners in the AI ecosystem.

LiteLLM, the connector used for apps to access AI services from OpenAI, Anthropic and others and downloaded millions of times daily, was identified as a high-value target by security researchers.

Mercor, a three-year-old AI startup valued at about $10 billion, confirmed the data breach connected to the supply-chain intrusion.

Experts urge affected parties to conduct third-party risk audits, communicate transparently, adopt software bill of materials, tighten security pipelines, and push for industry-wide policy reforms to curb similar breaches.

Reports note that the Lapsus$ listing on its site was removed around the time of reporting, with unclear reasons suggesting a potential buyer or halted auction, though there is no confirmed development.

Public and expert reactions criticize security practices and the valuation in light of the breach, while some praise Mercor’s transparent incident response and involvement of third-party forensics.

Mercor has engaged in direct communication with affected parties, pledged data safeguards, and is investing heavily in security upgrades to reassure customers and protect contractors.

Looking ahead, the breach could dent investor confidence, drive up cybersecurity spend on open-source dependencies, spur regulatory tightenings around SBOMs and AI software vetting, and raise privacy and doxxing risks.

Security researchers link TeamPCP to broader extortion campaigns and note possible collaboration with Lapsus$ and other groups to target affected companies at scale.

The incident is seen as an early indicator of a wider wave around LiteLLM supply chain compromises, with Mercor prioritizing communications and remediation.

Fortune reported Mercor confirmed the supply-chain attack and its security impact.

Mercor is a high-profile Silicon Valley player, valued around $10 billion after a 2025 funding round, with a notable client list including Meta, OpenAI, and Anthropic and a third-party forensic investigation underway.