{"id":60414,"date":"2026-04-02T00:02:58","date_gmt":"2026-04-02T00:02:58","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/"},"modified":"2026-04-02T00:02:58","modified_gmt":"2026-04-02T00:02:58","slug":"ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/","title":{"rendered":"AI recruiting biz Mercor says it was &#8216;one of thousands&#8217; hit in LiteLLM supply-chain attack"},"content":{"rendered":"<p>AI hiring startup Mercor confirmed it was &#8220;one of thousands of companies&#8221; affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.<\/p>\n<p>&#8220;We recently identified that we were one of thousands of companies impacted by a supply chain attack involving LiteLLM,&#8221; Mercor <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/mercor_ai\/status\/2039101905675403306\">said<\/a> on social media in a Tuesday post.<\/p>\n<p>&#8220;Our security team moved promptly to contain and remediate the incident,&#8221; the statement continued, adding that it&#8217;s conducting a &#8220;thorough investigation&#8221; with the help of third-party forensics experts, and will &#8220;devote the resources necessary to resolving the matter as soon as possible.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The company&#8217;s admission follows claims by extortion crew Lapsus$, later <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/AlvieriD\/status\/2038779690295378004\">shared on social media<\/a> by researcher Dominic Alvieri, that it stole 4 TB, including 939 GB of Mercor source code, plus other data, from the AI recruiting firm, and offered to sell the purloined files to the highest bidder.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>While Mercor&#8217;s statement didn&#8217;t say how <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/08\/12\/scattered_spidershinyhunterslapsus_cybercrime_collab\/\">Lapsus$<\/a> gained access to its company data following the LiteLLM compromise, last week Wiz security researchers told <em>The Register<\/em> that &#8220;high-profile extortion groups like Lapsus$&#8221; were now working with the TeamPCP, the crew believed to be responsible for the Trivy, LiteLLM, and other popular open source project supply chain attacks.<\/p>\n<p>Mercor did not immediately respond to our inquiries.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Following a <a target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisco-source-code-stolen-in-trivy-linked-dev-environment-breach\/\" rel=\"nofollow\">report<\/a> that TeamPCP also breached Cisco&#8217;s internal development environment and stole source code from credentials swiped via the Trivy attack, Cisco told <em>The Register<\/em> that it is &#8220;aware of the Trivy supply-chain issue that is affecting the industry.&#8221;<\/p>\n<p>&#8220;We promptly launched an assessment and based on our investigation to date, we have not seen any evidence of impact on our customers, products, or services,&#8221; a spokesperson told us. &#8220;We continue to investigate and closely monitor this situation and will follow our well-established procedures for addressing these types of issues and communicating with our customers as appropriate.&#8221;<\/p>\n<p>Cisco twice declined to answer this question: Were any of Cisco&#8217;s systems accessed by the attackers?<\/p>\n<h3 class=\"crosshead\">How it started\u2026<\/h3>\n<p>TeamPCP compromised Trivy, an open source vulnerability scanner maintained by Aqua Security in late February, and, a month later, injected credential-stealing malware into the scanner.&nbsp;<\/p>\n<p>Later in March, the same crew injected the same malware into open source static analysis tool KICS maintained by Checkmarx, and also <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/24\/trivy_compromise_litellm\/\">published malicious versions of LiteLLM<\/a> and <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/30\/telnyx_pypi_supply_chain_attack_litellm\/\">Telnyx<\/a> to the Python Package Index (PyPI).<\/p>\n<p>After all of these attacks, Google-owned cloud security shop <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.wiz.io\/blog\/tracking-teampcp-investigating-post-compromise-attacks-seen-in-the-wild\">Wiz said<\/a> its researchers &#8220;saw indications in Cloud, Code, and Runtime evidence that the credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data.&#8221;&nbsp;<\/p>\n<p>So while Mercor is the first downstream company to publicly confirm it was a victim of the compromises, it won&#8217;t be the last.&nbsp;<\/p>\n<h3 class=\"crosshead\">How it&#8217;s going<\/h3>\n<p>Threat hunters at vx-underground estimate the data thieves have exfiltrated <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/x.com\/vxunderground\/status\/2036532168084672816?s=20\">data and secrets from 500,000 machines<\/a>, and last week at RSA Conference, Mandiant Consulting CTO Charles Carmakal told reporters that the Google-owned incident response biz knew of &#8220;over 1,000 impacted SaaS environments&#8221; that were &#8220;actively&#8221; dealing with the cascading effect of the TeamPCP supply chain attacks.<\/p>\n<p>&#8220;That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000,&#8221; <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/24\/1k_cloud_environments_infected_following\/\">Carmakal said<\/a>. &#8220;And we know that these actors are collaborating with a number of other actors right now.&#8221;&nbsp;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>In addition to Lapsus$, TeamPCP is also partnering with ransomware gangs&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.ransomlook.io\/group\/cipherforce\">CipherForce<\/a> and <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.ransomware.live\/group\/vect\">Vect<\/a> to leak data and extort victims, according to <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/unit42.paloaltonetworks.com\/teampcp-supply-chain-attacks\/\">Palo Alto Networks&#8217; Unit 42<\/a>. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2026\/04\/02\/mercor_supply_chain_attack\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>First public downstream victim, but won&#8217;t be the last AI hiring startup Mercor confirmed it was &#8220;one of thousands of companies&#8221; affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-60414","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>AI recruiting biz Mercor says it was &#039;one of thousands&#039; hit in LiteLLM supply-chain attack 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AI recruiting biz Mercor says it was &#039;one of thousands&#039; hit in LiteLLM supply-chain attack 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-02T00:02:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"AI recruiting biz Mercor says it was &#8216;one of thousands&#8217; hit in LiteLLM supply-chain attack\",\"datePublished\":\"2026-04-02T00:02:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/\"},\"wordCount\":598,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/\",\"name\":\"AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2026-04-02T00:02:58+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage\",\"url\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AI recruiting biz Mercor says it was &#8216;one of thousands&#8217; hit in LiteLLM supply-chain attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/","og_locale":"en_US","og_type":"article","og_title":"AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-02T00:02:58+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"AI recruiting biz Mercor says it was &#8216;one of thousands&#8217; hit in LiteLLM supply-chain attack","datePublished":"2026-04-02T00:02:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/"},"wordCount":598,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/","url":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/","name":"AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2026-04-02T00:02:58+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ac3Jrldf0_PitoJb1zmJ2AAAAFQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/ai-recruiting-biz-mercor-says-it-was-one-of-thousands-hit-in-litellm-supply-chain-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"AI recruiting biz Mercor says it was &#8216;one of thousands&#8217; hit in LiteLLM supply-chain attack"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60414"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60414\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}