After data breach, $10B-valued startup Mercor is having a month

2026-04-09 · Source: AI News & Artificial Intelligence | TechCrunch · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Emerging Technologies & Innovation · Depth: Novice, short

Summary

Mercor, an AI data training startup valued at $10 billion after a $350 million Series C, admitted on March 31 to a data breach originating from a hack of the open-source tool LiteLLM. A hacker group claims to have stolen 4TB of data, including candidate profiles, PII, employer data, source code, and API keys, though Mercor has not confirmed the data's authenticity. The LiteLLM tool, downloaded millions of times daily, harbored credential harvesting malware for 40 minutes, which was exploited to access Mercor's systems. This incident has led Meta to indefinitely pause contracts with Mercor, while OpenAI is investigating its exposure but has not paused work. Five Mercor contractors have filed lawsuits over alleged personal data exposure, with one suit naming LiteLLM and its former security certifier, Delve, as defendants. Delve, accused of faking security certifications, has since been dropped by LiteLLM and Y Combinator.

Key takeaway

For CTOs and VPs of Engineering evaluating third-party AI service providers, this incident underscores the critical need for comprehensive supply chain security audits. Your organization's sensitive data and intellectual property are at risk if your partners rely on compromised open-source tools or inadequate security certifications. Prioritize continuous monitoring of all dependencies and consider the potential for cascading failures from a single point of compromise.

Key insights

A supply chain attack via a popular open-source tool led to a major data breach impacting a high-value AI startup.

Principles

• Open-source dependencies introduce supply chain risks.
• Security certifications do not guarantee breach prevention.
• Data training companies handle critical trade secrets.

In practice

• Audit third-party security certifications rigorously.
• Implement robust credential management for API keys.
• Review contracts with AI data training partners.

Topics

• Mercor Data Breach
• LiteLLM Security Incident
• AI Data Training
• Credential Harvesting Malware
• Security Certifications

Best for: CTO, VP of Engineering/Data, Executive, Tech Journalist, AI Security Engineer, Legal Professional

Related on AIssential

• Delve did the security compliance on LiteLLM, an AI project hit by malware — Open-source projects face significant supply chain risks, even with security certifications.
• Ozempic Maker Novo Nordisk Confirms Security Incident After $25M Hacker Demand — Healthcare and pharma companies face escalating threats to high-value intellectual property, including clinical trial data and AI models.
• Managing Third-Party Risk When You Have 10,000 Suppliers - with Dean Alms of Aravo — AI-driven automation transforms third-party risk management from a compliance task to a strategic resilience function.
• OpenAI Among the Companies Affected by TanStack Breach — Software supply chain attacks exploiting GitHub Actions can compromise open-source libraries and spread credential-stealing malware.
• The Air-Gapped Chronicles: The Model Zoo Ambush — When Your ‘Pretrained’ AI Ships the Attack — AI supply chain attacks exploit opaque model artifacts and lack of provenance, necessitating rigorous security measures beyond traditional AppSec.
• The Vercel Hack: How One AI Tool Cracked Open the Internet’s Deployment Stack — A third-party AI tool used by an employee led to a major supply chain breach at Vercel.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by AI News & Artificial Intelligence | TechCrunch.