AI recruiting startup Mercor has confirmed it was caught in a supply chain attack stemming from the recent compromise of open-source project LiteLLM. At the same time, extortion group Lapsus$ has publicly claimed to be responsible for the data breach, and has posted a sample of the stolen company data on its leaked site.

Mercor spokesperson Heidi Hagberg told TechCrunch the company was "one of thousands" affected by the LiteLLM incident and had "moved promptly" to contain and remediate the breach with third-party forensics experts. However, she declined to provide further details about the data that had been accessed or to confirm whether the LiteLLM-related incident was connected to Lapsus$'s claims.

The alleged stolen data samples posted by Lapsus$ include what appear to be Slack data, ticketing information, and videos showing conversations between Mercor's AI systems and contractors.

The LiteLLM compromise surfaced last week when malicious code slipped through a dependency of the widely-used open-source library. After research scientist Callum McMahon of FutureSearch, downloaded LiteLLM, a bug in the malware caused his computer to run out of RAM and crash, prompting McMahon to further investigate the issue. Both McMahon and AI researcher Andrej Karpathy agree that the malware caused McMahon's computer to crash because it was likely vibe-coded, and point out that had it not been for this fact, the exploit could have gone unnoticed for days, if not weeks.

Adding to the drama, LiteLLM had obtained security certifications from controversial startup Delve, which faces allegations of generating fake compliance data. Delve, of course, has strongly denied the claims. However, the whistleblower behind the allegations, who goes by the name DeepDelver and claims to have worked for a former Delve customer, recently posted on their anonymous Substack that they are in the possession of convincing evidence of Delve's questionable practices, and committed to sharing their findings over the next five days.

LiteLLM has since announced its switch to Delve competitor Vanta and has pledged to undergo re-certification, as well as to find an independent third-party auditor.