Khaberni - Mercur, a company specializing in AI-based recruitment, disclosed that it has been targeted in a cyber attack among a broader series of hacks connected to the open-source LiteLLM project.
The company clarified that it was one of thousands of companies affected by the incident, which is believed to be linked to a hacking group known as TeamPCPK, according to a report published by "Tech Crunch".
This comes at a time when the cyber-extortion group Lapsus$ announced its responsibility for targeting the company, claiming to have obtained internal data, without full clarity on how it was accessed or whether it was a direct result of the attack related to the open-source project.
"Mercur" was founded in 2023 and works with major companies such as "OpenAI" and "Anthropic", providing specialized experts — from scientists and doctors to lawyers — to contribute to the training of AI models.
The company manages daily payments exceeding two million dollars and has a market value of about 10 billion dollars after a funding round worth 350 million dollars in October 2025.
On its part, the company's spokeswoman, Heidi Hagberg, assured that the team acted quickly to contain and resolve the incident, indicating that a comprehensive investigation has begun with support from independent digital investigation experts.
She added that the company will continue to communicate with clients and contractors and allocate the necessary resources to address the situation.
The Lapsus$ group had published samples of data it claimed were stolen from the company, including references to data from the "Slack" platform, in addition to support ticket data, and video clips believed to display interactions between the company's AI systems and contractors.
In contrast, "Mercur" refrained from confirming whether this data was accurate or whether customer information was accessed or misused.
The origin of the crisis dates back to the discovery of malicious code inside one of the programming packages linked to the LiteLLM project last week, before being deleted within hours.
However, the incident has raised widespread concerns due to the extensive use of the programming library, which is downloaded millions of times daily, according to the cybersecurity company Snyk.
Investigations are still ongoing to determine the extent of the damage and the number of affected companies, amid concerns of broader repercussions on software supply chains that rely on open-source projects.
