TL;DR: Mercor AI – the 10 billion dollar recruiting company got hit by Lapsus$. They walked out with 4TB of data: 211GB of candidate records, 939GB of source code, and 3TB of video interviews and identity documents. The attack came through a poisoned Python package. Thousands of doctors, lawyers, and engineers now fear having their faces and voices circulating on the dark web. Mercor AI has acknowledged the incident and is currently looking into it, according to their X post.
The day the vault opened
On March 24, 2026, Mercor AI got breached. Not hacked in the slow, grinding sense but instead completely gutted.
Mercor built itself into a $10 billion company in two years by sitting in the middle of AI hiring. Companies like OpenAI, Anthropic, and Google DeepMind used it to screen, interview, and verify specialized talent. That made Mercor a very specific kind of target: not just data-rich, but holding the kind of data that can’t be changed after the fact.
Lapsus$ – the group behind previous breaches at Microsoft, Nvidia, and Okta has claimed credit. The haul includes source code, network maps, API keys, and the raw video and biometric data of over 30,000 contractors. Passwords, you can reset. Your face and voice, you can’t.
How it happened
The attack didn’t start at Mercor. That’s what makes it ugly.
Phase 1: Trivy (March 19, 2026)
Trivy is a security scanning tool built by Aqua Security. A threat actor group called TeamPCP found a misconfigured GitHub Actions workflow in the Trivy repository. They exploited a pull_request_target vulnerability to steal a Personal Access Token for the aqua-bot account, then used that access to force-push malicious commits to 76 release tags in the trivy-action repo.
Anyone who pulled the “latest” version of a security scanner was now running a credential harvester. A tool built to catch vulnerabilities became the vulnerability.
Phase 2: LiteLLM
LiteLLM is a proxy that routes API calls between AI models. It sees around 3.4 million downloads a day, which made it the ideal entry point for anyone already inside the AI ecosystem.
On March 24, the attackers used credentials from the Trivy compromise to hijack the PyPI publishing token for LiteLLM. They pushed versions 1.82.7 and 1.82.8. Version 1.82.8 contained a .pth file – the kind Python executes automatically when the interpreter starts. No import needed. No code run needed. The moment a developer opened an IDE or ran pip, the malware was already running.
Phase 3: Mercor
At Mercor, reportedly, developers were running Claude (an AI coding assistant) with unrestricted system permissions. When the poisoned LiteLLM dependency landed in a dev environment, the malware ran a three-step operation: sweep the machine for SSH keys, AWS tokens, Kubernetes secrets, and .env files; deploy privileged containers across Mercor’s Kubernetes clusters; and use the stolen credentials to begin exfiltrating data through the Tailscale VPN to an attacker-controlled domain – models.litellm[.]cloud.
What was in the 4TB Data
The candidate database (211GB): Resumes, verified contact info, and Social Security numbers. Mercor processed roughly $2 million in daily payouts, which meant they stored tax documents such as SSNs and ID papers on-site.
Video and KYC (3TB): This is the part that can’t be undone. Mercor used AI-led video interviews for identity verification. What Lapsus$ got includes thousands of hours of HD video of candidates speaking and working through problems, passport and driver’s license scans, and the facial biometric data Mercor used to match faces to IDs. An attacker with this material can train deepfake models of specific people, then use those models to bypass video KYC checks at banks or crypto exchanges or simply impersonate someone professionally.
Source code (939GB): The matching algorithms, internal dashboards, APEX-Agents benchmarking code, and most inportantly – hardcoded API keys that could allow further access to Mercor’s cloud infrastructure.
Tailscale VPN data: A full map of Mercor’s internal network, plus device certificates that let attackers impersonate trusted internal machines even after the initial breach was discovered.
The biometric problem
The video and KYC haul is different from a typical data breach, and it’s worth being direct about why.
When someone’s password leaks, they change it. When someone’s face and voice leak alongside passport scans that match the face to a real name – you can’t change it. Victims can be impersonated in video calls, used to bypass biometric identity checks, or have their professional identity cloned wholesale. The people most exposed here are doctors, lawyers, and engineers who went through Mercor’s verification process in good faith.
The wider picture
Mercor was downstream of the LiteLLM attack, but the Lapsus$ communications mention other targets under codenames: Athena and Aphrodite. Major AI firms including Mercor’s clients are now auditing their dependency chains.
The uncomfortable reality this breach surfaces: if a $10 billion company can be gutted because a Python package ran a .pth file, the attack surface for the AI sector is much larger than most companies have accounted for. Trusting your security scanner and your ML routing library is not paranoid behavior ,it’s how everyone operates. Lapsus$ just exploited it.
If you used Mercor AI
If you completed a video interview or uploaded identity documents, treat your data as compromised. Your biometric data cannot be revoked. If you’re a professional who went through the platform – especially if you submitted passport or government ID scans, monitor for identity fraud and be cautious of any unsolicited requests that rely on video verification or identity checks. Do not wait for a formal notice before acting. Change passwords now, enable app-based 2FA on email and financial accounts.
Mercor’s Reply
Mercor AI released a public statement on twitter. It has confirmed the breach.
Background on Lapsus$
Lapsus$ is an international extortion group known for stealing source code and sensitive data from major tech companies. Previous targets include Microsoft, Nvidia, Samsung, and Okta. Their method is usually to post proof of the breach publicly and demand payment to prevent auction or release.
