AI hiring startup Mercor suffered a security incident after threat actor group TeamPCP compromised LiteLLM, an open-source tool Mercor used in its production AI pipeline. The attack exploited a supply chain dependency, giving attackers a pathway into Mercor’s environment without directly targeting Mercor’s own systems. Meta has suspended active projects with Mercor following disclosure, indicating business-level impact from the supply chain compromise and illustrating how upstream open-source compromises can trigger downstream business consequences at scale.