In short: Meta has suspended its collaboration with Mercor, a $10 billion AI data startup, after a supply chain attack exposed what may be the AI industry’s most closely guarded secrets: not just personal data, but the training methodologies that power the world’s leading large language models. The breach, carried out via a poisoned version of the LiteLLM open-source library, has triggered investigations at OpenAI and Anthropic, and resulted in a class action lawsuit affecting more than 40,000 people.
When hackers poisoned a widely used open-source library last month, they did not just steal personal data. According to reporting by Wired, they may have walked out with the blueprints for how some of the world’s most powerful AI models are built.
Meta has paused its work with Mercor, a San Francisco-based AI data company that generates bespoke training datasets for the biggest names in artificial intelligence, after a cyberattack exposed sensitive information about how the company, and potentially several of its other clients, actually trains its models. The pause is indefinite, and the incident has sent a ripple of anxiety through an industry that has spent billions developing the proprietary methods it was counting on keeping secret.
The startup behind the curtain
Mercor is not a household name, but it sits at a critical juncture of the AI economy. Founded in 2023 by Brendan Foody, Adarsh Hiremath, and Surya Midha, three Bay Area high school friends who competed together on the Bellarmine College Preparatory Speech and Debate team, the company recruits networks of human contractors, engineers, lawyers, doctors, bankers, and journalists, to produce high-quality, proprietary training data for AI labs. Its clients have included Meta, OpenAI, Anthropic, and Google.
The startup’s rise has been extraordinary even by Silicon Valley standards. In October 2025, Mercor closed a $350 million Series C round that valued it at $10 billion, minting all three founders as the world’s youngest self-made billionaires at the age of 22. By September 2025, the company had reached $500 million in annualised revenue, up from $100 million just six months earlier. Its business model, generating the fine-tuning and reinforcement learning data that AI labs rely on but rarely discuss publicly, made it one of the most valuable private companies in the AI supply chain.
That same positioning is now the source of its vulnerability.
A poisoned package, a cascade of exposure
The attack that reached Mercor originated several steps upstream. According to analysis by Wiz, Snyk, and Datadog Security Labs, a threat actor group known as TeamPCP compromised the CI/CD pipeline of LiteLLM, an open-source Python library used by millions of developers to connect applications to AI services, with 97 million monthly downloads and a presence in an estimated 36% of cloud environments.
TeamPCP had earlier used a supply chain attack on Trivy, a widely used security scanner, to obtain credentials belonging to a LiteLLM maintainer. On 27 March 2026, the group used those credentials to publish two malicious versions of the LiteLLM package, 1.82.7 and 1.82.8, directly to PyPI, the Python package repository. The tainted packages were available for roughly 40 minutes before being identified and removed.
The payload was sophisticated. Version 1.82.7 embedded base64-encoded malware directly into the library’s proxy server code, executing on import. Version 1.82.8 used a malicious path configuration file that triggered automatically on every Python process startup. Both variants were designed to harvest environment variables, API keys, SSH keys, cloud credentials across AWS, Google Cloud, and Azure, Kubernetes configurations, CI/CD secrets, and database credentials, exfiltrating everything to a server at models.litellm[.]cloud.
Mercor, which confirmed it was “one of thousands of companies” affected by the attack, subsequently found that the breach had exposed approximately four terabytes of data. According to court filings and claims made by the hacking groups involved, the stolen cache includes 939 gigabytes of platform source code, a 211-gigabyte user database, and roughly three terabytes of video interview recordings and identity verification documents. The exposed information may include the full names and Social Security numbers of more than 40,000 current and former Mercor contractors and customers.
The secrets that matter most
The personal data exposure would be troubling enough. But what has alarmed Meta and drawn the attention of other AI labs is a different category of information entirely.
Because Mercor sits inside the data pipelines of multiple AI companies simultaneously, the breach may have exposed details about data selection criteria, labeling protocols, and training strategies that companies have spent years and billions of dollars developing. Competitors can replicate a dataset; replicating a training methodology is harder, and it represents a genuine competitive moat. The Wired report notes that the scale of that potential exposure has prompted multiple AI labs to investigate what, precisely, may have left their orbit.
OpenAI, which also uses Mercor’s services, has said it is investigating the incident but has not paused its current projects with the company. Anthropic, which raised $3 billion in early 2026 and has been expanding its research infrastructure aggressively, has not publicly commented on its exposure. Google, which operates competing data vendor relationships of a similar kind, is also understood to be assessing the breach’s scope.
The incident illustrates a structural risk that the AI industry has rarely had to confront: when multiple competitors rely on the same third-party data supplier, a single breach can expose the competitive secrets of all of them at once.
Extortion and legal fallout
The threat group Lapsus$, which has previously been linked to high-profile attacks on major corporations, subsequently claimed responsibility for the Mercor breach and began auctioning the stolen data on dark web forums. Security researchers believe Lapsus$ is acting in collaboration with TeamPCP, which has emerged as a systematic threat across the AI and enterprise software ecosystem. The same group is believed responsible for a wave of supply chain compromises affecting more than 1,000 enterprise SaaS environments via the earlier Trivy attack, including a breach of the European Commission attributed by CERT-EU to the same campaign.
On 1 April 2026, plaintiff Lisa Gill, a resident of Wahiawa, Hawaii, filed a class action complaint against Mercor.io Corp. in the US District Court for the Northern District of California. The suit alleges that Mercor failed to maintain adequate cybersecurity protections, leaving more than 40,000 people exposed to identity theft and fraud. The complaint states that the LiteLLM incident on 27 March was the entry point and that Mercor’s reliance on a compromised open-source dependency without sufficient monitoring created the conditions for the breach.
Meta, meanwhile, has said nothing publicly, a silence that speaks volumes. The company signed a $27 billion AI infrastructure deal with Nebius Group in March 2026 and has forecast capital expenditures of between $115 billion and $135 billion for the year, making its AI training pipeline one of its most strategically sensitive assets. Pausing a data vendor relationship, even an important one, is the kind of decision that gets made only when the risk to proprietary methodology outweighs the operational cost of stopping work.
A cautionary tale for the AI supply chain
The Mercor breach is, in one sense, a conventional supply chain attack: a threat actor found a weak link in an open-source dependency and exploited it for credential theft and data exfiltration. In another sense, it is something newer and more unsettling. The AI industry has built its most valuable intellectual property on top of an interconnected web of data vendors, open-source tools, and shared infrastructure, and that web now constitutes an attack surface that no single company fully controls.
Security companies have been warning about precisely this dynamic. Aikido Security, which reached unicorn status in January 2026, built its business on the premise that open-source dependency risk had become existential for enterprise software. The Mercor incident suggests the same logic applies, perhaps more acutely, to the AI training pipeline.
For the three young founders who built one of the fastest-growing companies in tech, the coming months will test whether Mercor’s extraordinary momentum can survive a breach that exposed not just its users’ data, but its clients’ most carefully guarded secrets. The AI industry’s breakneck 2025 was built on the assumption that the infrastructure underpinning it was secure enough to trust. That assumption is now under review.
Get the TNW newsletter
Get the most important tech news in your inbox each week.