Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 10, 2026 · 6 min read

Hackers Stole 4TB From a $10 Billion AI Startup Through a 40 Minute Window in a Python Package

A supply chain attack on LiteLLM gave attackers access to Mercor's source code, contractor passports, and video interviews. Meta paused its contracts. Five lawsuits have been filed.

A modern office building at night with digital data particles streaming out through a crack in its glass facade

What Happened

On March 31, 2026, AI data training startup Mercor confirmed it had been breached. The company, valued at $10 billion, told users that attackers had accessed its systems through a compromised version of LiteLLM, an open source library used to manage API keys for AI providers.

The stolen cache was enormous: approximately 939 GB of platform source code, a 211 GB user database, and roughly 3 TB of storage buckets containing video interview recordings and identity verification documents including passport scans. In total, more than 40,000 contractors had their personal data exposed.

How a 40 Minute Window Became a 4TB Breach

The attack was a textbook supply chain compromise, and it started months before Mercor was hit. A threat group called TeamPCP first exploited a vulnerability in Trivy, an open source security scanner, through a GitHub Actions workflow flaw. That gave them maintainer credentials, which they used to compromise additional tools in the CI/CD chain.

On March 24, at 10:39 UTC, LiteLLM's CI/CD pipeline executed the malicious Trivy action. The attackers exfiltrated the PyPI publish token and within thirteen minutes pushed two poisoned versions of LiteLLM, 1.82.7 and 1.82.8, to the Python Package Index.

The malicious payload harvested SSH keys, cloud credentials for AWS, GCP, and Azure, Kubernetes secrets, API keys, and database credentials. Version 1.82.8 went further, using .pth file injection to execute on every Python startup, ensuring persistence even after the package was removed.

A researcher named Callum McMahon discovered the compromise at 11:48 UTC when his system crashed. PyPI quarantined the package by 13:38 UTC. The malicious versions had been live for roughly 40 minutes to 3 hours, but with 3.4 million daily downloads, thousands of systems had already pulled the compromised packages automatically.

The Fallout

Meta indefinitely paused all contracts with Mercor. Affected contractors cannot log hours. OpenAI confirmed it was investigating its exposure but had not paused work at the time of disclosure.

Five lawsuits were filed in federal courts across California and Texas in the first week of April. The lead case, Gill v. Mercor.io Corporation, was filed April 1 as a proposed nationwide class action. It alleges the company failed to implement multi factor authentication, encrypt sensitive data, or monitor for suspicious activity. The claims span negligence, data privacy violations, invasion of privacy, and breach of implied duty.

Beyond the personal data, the stolen cache may have exposed data selection criteria, labeling protocols, and RLHF training strategies that represent significant proprietary value for the AI companies Mercor serves.

The Compliance Firm That Certified LiteLLM Was a Fraud

In a parallel scandal, Delve Technologies, the GRC startup that had certified LiteLLM's SOC 2 and ISO 27001 compliance, was exposed for generating fraudulent certifications. An anonymous whistleblower revealed that Delve's 494 leaked SOC 2 reports contained 99.8% identical text across all clients, including recurring grammatical errors. Pre fabricated evidence was generated before clients even submitted company descriptions.

On March 30, LiteLLM dropped Delve and switched to Vanta. On April 4, Delve was expelled from Y Combinator.

Why This Matters

LiteLLM is downloaded 95 million times monthly and is present in an estimated 36% of all cloud environments. Its entire purpose is to hold API keys for dozens of AI providers. Compromising it gave attackers a skeleton key to every system that depended on it.

This is the same pattern that has played out with npm supply chain attacks, the recent CPUID supply chain compromise, and other package manager compromises: a single poisoned dependency cascades through thousands of downstream systems before anyone notices.

How to Protect Yourself

If you use LiteLLM or any high privilege open source dependency:

  • Pin exact versions with lockfiles. Organizations using poetry.lock or uv.lock were protected from the malicious packages. Mutable version tags inherited the full attack chain.
  • Rotate credentials immediately if your systems pulled LiteLLM versions 1.82.7 or 1.82.8 between March 24 and March 25.
  • Audit CI/CD pipelines for third party GitHub Actions that have write access to package registries.
  • Verify compliance certifications independently. A SOC 2 badge means nothing if the auditor was rubber stamping reports.

For Mercor contractors whose data was exposed, monitor your credit reports and consider placing a fraud alert. If your passport was among the verified identity documents, contact your issuing authority about potential identity theft.