Meta Pauses Work With Mercor After LiteLLM-Linked Data Breach

Meta has indefinitely suspended its collaboration with AI training startup Mercor in the wake of a significant supply chain security breach linked to the open-source LiteLLM project. According to reports from WIRED and TechCrunch, attackers compromised maintainer credentials to publish malicious versions (1.82.7 and 1.82.8) of the LiteLLM library to the Python Package Index (PyPI). These tainted packages were available for approximately 40 minutes, creating a critical window for downstream exposure. Mercor, which facilitates over $2 million in daily payouts and connects major AI labs like OpenAI and Anthropic with contractors for model training and evaluation, was one of thousands of companies affected by this dependency compromise.

The incident underscores the profound security vulnerabilities embedded within the AI development supply chain. Mercor operates in a sensitive operational layer—the workflow between AI companies and the human experts who build, label, and evaluate models. A breach at this intermediary point means proprietary training data and internal processes from top labs could be exposed without a direct attack on their own systems. While Mercor has engaged third-party forensics and contained the incident, the hacking group Lapsus$ has claimed to have stolen over 4TB of data, a claim still under investigation. The fallout extends beyond Mercor, prompting a broader reevaluation of vendor security by AI labs and serving as a stark warning that innovation risk in AI extends far beyond the model layer to the foundational tools and partners enabling it.