Visualização normal

Antes de ontemStream principal
  • ✇Firewall Daily – The Cyber Express
  • AI Startup Mercor Hit by Supply Chain Attack Linked to LiteLLM Ashish Khaitan
    A recent Mercor cyberattack has brought renewed attention to the risks associated with open-source software dependencies, after the AI recruiting startup confirmed it was impacted by a broader supply chain compromise. The Mercor data breach, which is still under investigation, has been linked to a malicious incident involving the widely used LiteLLM project.  In a conversation with The Cyber Express, a Mercor spokesperson explained the details of the incident. According to the spokesperson, M
     
  • ↗️

AI Startup Mercor Hit by Supply Chain Attack Linked to LiteLLM

✇Firewall Daily – The Cyber Express
Por:Ashish Khaitan
1 de Abril de 2026, 05:39

Mercor cyberattack

A recent Mercor cyberattack has brought renewed attention to the risks associated with open-source software dependencies, after the AI recruiting startup confirmed it was impacted by a broader supply chain compromise. The Mercor data breach, which is still under investigation, has been linked to a malicious incident involving the widely used LiteLLM project.  In a conversation with The Cyber Express, a Mercor spokesperson explained the details of the incident. According to the spokesperson, Mercor is in the "early stages of a thorough investigation assisted by third-party forensics experts and will provide details directly to you as appropriate. We can say there has been a limited impact on our operations. We are devoting the resources necessary to resolving the matter and appreciate your understanding and patience." The data breach at Mercor stems from a security incident tied to LiteLLM, an open-source project used extensively across the AI ecosystem. Mercor acknowledged that it was “one of thousands of companies” affected by the compromise, which has been attributed to a hacking group known as TeamPCP. This Mercor cyberattack highlights the growing threat of supply chain attacks, where attackers infiltrate widely used software components to gain access to multiple targets at once.  The situation became more complex when the extortion-focused hacking group Lapsus$ claimed responsibility for targeting Mercor and accessing its data. However, it remains unclear how Lapsus$ obtained the information or whether it directly leveraged the LiteLLM vulnerability as part of the Mercor data breach. The lack of clarity has added to the uncertainty surrounding the scope and impact of the incident.

Company Background and Scale of Operations 

Founded in 2023, Mercor has rapidly positioned itself as a key player in the AI talent ecosystem. The company collaborates with major AI firms, including OpenAI and Anthropic, to help train machine learning models. It does so by connecting organizations with specialized professionals such as scientists, doctors, and lawyers, many of whom are based in global markets like India. Mercor has reported facilitating more than $2 million in daily payouts to its network of contractors. Its growth trajectory has been notable, with the company reaching a $10 billion valuation following a $350 million Series C funding round led by Felicis Ventures in October 2025. This scale makes the data breach at Mercor particularly significant, as any disruption or exposure could potentially affect a large network of users and partners.

Response to the Mercor Cyberattack

In response to the Mercor cyberattack, company spokesperson Heidi Hagberg stated that the organization acted quickly to contain the issue. She noted that Mercor had “moved promptly” to address the incident and limit its potential impact.  “We are conducting a thorough investigation supported by leading third-party forensics experts,” Hagberg said. “We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”  This response indicates that Mercor is treating the data breach as urgent, although specific details about the extent of the breach or the type of data potentially exposed have not yet been disclosed. 

Origins of the LiteLLM Security Incident 

The root cause of the data breach at Mercor can be traced back to the LiteLLM project, where malicious code was discovered in one of its packages. The issue first came to light the previous week and was addressed within hours of detection. Despite the swift response, the incident raised alarms due to LiteLLM’s widespread adoption.  According to security firm Snyk, LiteLLM is downloaded millions of times per day, making it a critical component in many AI workflows. The scale of its usage meant that even a brief compromise could have far-reaching consequences, as seen in the Mercor cyberattack and similar incidents affecting other organizations.  In the aftermath, LiteLLM initiated changes to its compliance and security processes. One notable adjustment included transitioning its compliance certifications from Delve to Vanta, reflecting an effort to strengthen oversight and rebuild trust following the breach. 

Ongoing Investigation and Unanswered Questions 

Despite the available information, several key questions remain unanswered about the Mercor data breach. It is still unclear how many companies were ultimately impacted by the LiteLLM compromise or whether sensitive data was definitively exposed in the case of Mercor.  At the time of reporting, no additional official statements have been released beyond what Mercor shared with media outlets such as TechCrunch. Attempts to obtain further details have not yielded new information, leaving the full scope of the data breach at Mercor uncertain.  The Mercor cyberattack highlights how well-established companies can be affected by weaknesses in third-party tools, particularly those that are widely adopted across industries. The Mercor data breach remains an ongoing situation, with cybersecurity experts and industry observers closely monitoring developments. Further updates are expected as more information becomes available about the attack, its origins, and its broader implications.  
  • ✇@BushidoToken Threat Intel
  • Ransomware Tool Matrix Update: Community Reports BushidoToken
     IntroductionThe Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such as a formal blog post on a company website). Therefore, I came up with a plan to make a reporting template to help with this.What are Community Reports?Individuals can now share what
     
  • ↗️

Ransomware Tool Matrix Update: Community Reports

✇@BushidoToken Threat Intel
Por:BushidoToken
13 de Setembro de 2025, 17:38

 


Introduction

The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such as a formal blog post on a company website). Therefore, I came up with a plan to make a reporting template to help with this.

What are Community Reports?

Individuals can now share what tools they have seen various ransomware groups, affiliates, or initial access brokers (IABs) use via the new Community Report Template. The level of detail provided is the contributor's choice. The more verifiable information shared, the increased level of reliability and credibility.

You can view the current list of Community Reports on GitHub here.

Why the need for Community Reports?

Most of the sources of CTI about ransomware TTPs comes from open source reports by organisations such as the US Cybersecurity and Infrastructure Security Agency (CISA), The DFIR Report, and other cybersecurity vendors. From the beginning it was important to recognise the importance of the having public citations by reputable organisations to maintain the reliability and credibility of the resource overall. Consumers of the Ransomware Tool Matrix should feel confident that the information provided is of high standard and legitimate.

The problem was, however, that members of the cybersecurity community who may work with victims of ransomware attacks also have information about what tools which ransomware group uses. 

The sources of this information could come from various sources, such as from Digital Forensics and Incident Response (DFIR) service providers, Managed Security Service Providers (MSSPs), Endpoint Detection and Response (EDR) vendors, or security researchers who manage to obtain threat intelligence about ransomware groups via various other means, such as infiltrating cybercrime forums or open directory hunting.

These sources of information did not currently have a way to contribute to the Ransomware Tool Matrix due to the missing factor of a publicly citable blog.

How do Community Reports work?

Members of the Community with information and tools used by ransomware groups can now share their observations via a structured report template shown below.

Whether to include all the details here is up to the contributor, but this type of reporting system is an option for community members to share their findings with the rest of the community who are interested in this information.


Anyone who wants to submit a Community Report can copy the code, edit in their findings, and submit a pull request to the GitHub repository. Alternatively, they can fork the project and then I can merge their commits to the main branch. More details about how to creating a pull request from a fork can be found in the GitHub's Docs here.

Conclusion

One of the problems of cybersecurity vendor blogs is that a lot of them are marketing material and therefore, details about every ransomware incident a company worked on is not great marketing. However, as CTI analysts, incident responders, threat hunters, and detection engineers, these details are crucial for our day-to-day lives. Hence why the Community Report system was one of the most common pieces of feedback I received and why I created it.

I look forward to the contributions from the community to this new reporting system and hope it helps many more who are keen to see and read about what the latest tools are that the ransomware cybercriminals are using.

❌
❌