The AI Control Problem

The Mercor Breach Exposed AI's Most Guarded Secret: How Models Get Trained

TV
Thiago Victorino
8 min read
The Mercor Breach Exposed AI's Most Guarded Secret: How Models Get Trained
Listen to this article

When we covered the LiteLLM supply chain attack in late March, we focused on the technical vector: a malicious PyPI package that turned an AI gateway into a credential exfiltration tool. In our follow-up analysis, we traced how the compromise reached Mercor, a $10 billion AI data contracting firm, and asked what the downstream consequences would look like.

Now we know.

Training Data Is the Crown Jewel

WIRED’s investigative report, published April 3, reveals what the LiteLLM breach actually compromised at Mercor. Not just Slack messages and internal communications. The breach exposed the processes by which Meta, OpenAI, and Anthropic train their models.

Mercor is one of a handful of firms these labs rely on to generate proprietary training datasets. The company hires massive contractor networks to create bespoke data that shapes how frontier models reason, verify facts, and respond to queries. This data is kept “highly secret,” according to WIRED, because it reveals to competitors (including Chinese AI labs) the specific methods behind products like ChatGPT and Claude Code.

An attacker using the Lapsus$ name offered to sell 200+ GB of database contents, nearly 1 TB of source code, and 3 TB of video and other data. Researchers attribute the actual breach to TeamPCP, the same group behind the LiteLLM compromise itself.

The scale matters less than the category. This was not a leak of user data or API keys. It was a leak of the recipe.

Meta Walked Away

Meta’s response tells you everything about the severity. The company paused all work with Mercor, indefinitely. Contractors staffed on Meta projects cannot log hours until the project resumes. Some may never return.

One affected project, internally called Chordus, was teaching AI models to verify their responses by cross-referencing multiple internet sources. A project lead told contractors in Slack that Mercor was “currently reassessing the project scope.” That is corporate language for: we do not know when this comes back.

OpenAI has not stopped its current projects but is investigating how its proprietary training data may have been exposed. Anthropic did not respond to WIRED’s request for comment.

The pattern here is striking. Three frontier AI labs entrusted their most competitively sensitive work to a single vendor category. When that vendor was compromised through a supply chain attack on an open-source dependency, the labs lost control of data they considered a core competitive asset.

Secrecy Is Not Security

Mercor and its competitors (Surge, Handshake, Turing, Labelbox, Scale AI) have built their businesses on secrecy. They use codenames for projects. Their CEOs rarely speak publicly about specific contracts. The secrecy is so thorough that even contractors on the same platform sometimes do not know which lab their work serves.

This operational secrecy created an illusion of protection. If nobody talks about the data, the thinking goes, nobody can target it.

But secrecy is an access control for humans. It does nothing against a compromised software dependency. LiteLLM did not need to know what Mercor’s projects were called or which lab they served. It just needed to be in the dependency tree. The malicious code exfiltrated everything it could reach, regardless of how many codenames protected it.

As we wrote in Your AI Provider Is a Supply Chain Risk, the security posture of your AI vendor is your security posture. Mercor’s clients outsourced their most sensitive data operations to a company that, in turn, depended on open-source AI middleware without the supply chain controls that dependency warranted.

The Worker Dimension Nobody Discusses

There is a human cost buried in this story that the industry prefers to ignore.

Mercor’s contractors are the people who actually create AI training data. They write examples, evaluate model outputs, and build the datasets that make frontier models useful. When Meta paused its Mercor projects, these workers lost their income with no timeline for return.

A Mercor employee told contractors that the company was “working to find additional projects for those impacted.” But AI training contracts are not interchangeable. A contractor trained on Meta’s Chordus project has specialized knowledge about that specific initiative. Moving to a different project means starting over.

This dependency runs both directions. The labs depend on contractors for data quality. The contractors depend on the labs for employment. Neither party controls the middleware in between. When LiteLLM was compromised, both sides of that relationship suffered consequences, but only the contractors lost their paychecks.

Three Layers of Failure

Walk backward through the chain to see where governance failed.

Layer one: the middleware. LiteLLM, an open-source AI proxy, was compromised through a malicious package update. We covered this in detail previously. The technical controls that would have caught it (dependency pinning, package integrity verification, runtime file monitoring) were absent or insufficient.

Layer two: the vendor. Mercor incorporated LiteLLM into its infrastructure. When the compromised update was installed, the attacker inherited access to everything the proxy could reach. Mercor confirmed the attack on March 31, telling staff that “thousands of other organizations worldwide” were also affected.

Layer three: the client. Meta, OpenAI, and Anthropic entrusted proprietary training data to Mercor without, apparently, sufficient contractual or technical controls to limit blast radius. When Mercor was compromised, the labs’ competitive secrets were exposed through a vendor they chose not because of its security posture, but because of its ability to generate high-quality training data at scale.

Each layer trusted the one below it. None of them verified.

What This Reveals About AI Supply Chain Maturity

Traditional supply chain security has a concept called “nth-party risk.” Your vendor (first party) depends on their vendors (second party), who depend on their vendors (third party), and so on. A compromise at any level cascades upward.

The AI training supply chain adds a complication. The data flowing through it is not just operationally sensitive. It is the competitive differentiator. When a car manufacturer’s supplier is breached, the attacker might get production schedules or pricing data. When an AI lab’s training data vendor is breached, the attacker gets the methodology behind the product itself.

This asymmetry means AI training supply chains require controls proportional to the value of what flows through them. Right now, those controls are proportional to the perceived risk of “another SaaS vendor,” which is how most organizations categorize companies like Mercor.

That categorization is wrong. Mercor is not a SaaS vendor. It is a strategic asset custodian.

The Question for Every AI Organization

If you outsource any part of your AI training, evaluation, or fine-tuning pipeline, you need to answer two questions.

First: do you know every software dependency in your data vendor’s stack? Not their product. Their dependencies. The libraries, proxies, and middleware that touch your data between the contractor’s keyboard and your model’s training run.

Second: do your contracts with that vendor include supply chain security requirements? Not SOC 2 compliance. Specific controls: dependency pinning policies, package integrity verification, network egress monitoring, incident notification timelines measured in hours rather than days.

If you cannot answer both questions, your training data is protected by secrecy and hope. Mercor proved that neither is sufficient.

This analysis builds on WIRED’s investigative report by Maxwell Zeff, Zoe Schiffer, and Lily Hay Newman (April 2026), and extends our earlier coverage of the LiteLLM attack in When the AI Gateway Becomes the Attack Vector (March 2026) and The First AI Gateway Supply Chain Attack (April 2026).

Victorino Group helps organizations govern their AI training supply chains before a vendor breach becomes a competitive intelligence loss. Let’s talk.

All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →

Part of The Thinking Wire, published by Victorino Group.

If this resonates, let's talk

We help companies implement AI without losing control.

Schedule a Conversation