Mercor, an AI staffing platform that screens contractors through recorded video interviews, confirmed on March 311 that a supply-chain attack against LiteLLM had exposed candidate data. What separates this breach from a standard biometric privacy incident is the combination of data that left: government identity documents and clean voice samples long enough to train a production-quality voice clone, stored together in the same platform.
How TeamPCP Poisoned LiteLLM and Reached Mercor
The initial compromise belonged to TeamPCP, documented by Wiz in March 20262 as running a sustained PyPI credential-theft campaign against open-source AI tooling. The poisoned builds were LiteLLM versions 1.82.7 and 1.82.8, according to reporting on the supply-chain incident1; malicious code in those versions exfiltrated credentials from any service running them. LiteLLM is a popular abstraction layer for routing calls across LLM providers, which is precisely what made the compromised versions valuable as a vector. Hundreds of AI product stacks depend on it.
Mercor’s public statement described itself as “one of thousands of companies impacted” by the LiteLLM supply-chain attack. That framing is technically accurate. It also elides the detail that most companies using LiteLLM are not platforms that store government IDs, biometric voice recordings, and facial geometry scans for tens of thousands of pre-screened contractors.
The 4TB Breakdown: Lapsus$ Claims vs. Confirmed Exposure
Lapsus$ posted the alleged dump on April 43 and listed the contents as 939GB of platform source code, 211GB of user databases, and approximately 3TB of storage buckets containing video interviews, passport and national ID images, and biometric data including facial and voice signals. Lapsus$ also claimed the breach yielded “AI training methodologies of multiple frontier labs.”4
Mercor confirmed the breach occurred but has not confirmed the specific data categories or volumes. Lapsus$ has a documented history of inflating breach claims; the 4TB total and the frontier-lab training-data claim should be treated as unverified. The biometric exposure is consistent across multiple independent sources and aligns with what Mercor’s screening product collects by design.
ByteIota reported5 that more than 40,000 AI contractors were affected, with the stolen video interviews averaging 20 minutes per session. Those interviews embed voice recordings, facial geometry captures, and transcripts. Pulse24 reported on April 273 that the extracted voice samples average 2-5 minutes of clean audio per subject.
Why 40,000 Pre-Verified Voice Samples Change Phishing Economics
Building a targeted vishing operation against enterprise targets has two main cost centers: finding usable voice audio for each target and obtaining credentials that let you impersonate them credibly. Social-media audio is noisy, fragmented, and often unattributed. Video call recordings require prior access. The Mercor dump resolves both problems at once: clean, labeled, studio-interview-quality audio for 40,000 people who already handed over their passport or national ID to prove who they are.
ElevenLabs’ Instant Voice Cloning6 requires 30 seconds to 1-2 minutes of clean audio at minimum, with 3-5 minutes producing materially better output. Professional Voice Cloning starts at 30 minutes. The samples in this breach, averaging 2-5 minutes, clear the instant-cloning floor and land near the lower bound for professional-grade output on any current commercial platform.
The pre-verification angle is what makes this a different class of breach. An attacker who clones a contractor’s voice also has, in the same dataset, the government ID that contractor used to pass Mercor’s screening. That pairing produces something closer to a functional identity than a voice actor. Phone calls to former colleagues, HR departments, or financial institutions become materially harder to challenge when the caller can supply matching ID details.
The scale matters, too. This is not a targeted leak of executives for surgical spear-phishing. Forty thousand subjects is a bulk corpus, structured exactly as an attacker would want it: labeled by real identity, verified by a third party, with enough audio per subject to produce consistent output across multiple call sessions.
The BIPA Lawsuits and the Biometric Enrollment Question
Five federal lawsuits were filed between April 1 and April 75 in California and Texas courts, all citing Biometric Information Privacy Act violations over the biometric data exposure. BIPA covers voice prints explicitly; the suits will likely turn on whether Mercor obtained adequate informed consent before collecting and retaining the data that constitutes its core screening product.
The legal framing focuses on enrollment disclosures and retention schedules. The security question is more direct: Mercor’s screening architecture made biometric data and identity verification structurally inseparable. That design is what made the breach worth staging.
What Security Teams Should Do Now
The LiteLLM vector is the most immediately actionable part of this incident. Any organization that ran LiteLLM in production should audit their version history for builds 1.82.7 and 1.82.8 and treat any credentials or API keys accessible from those environments as compromised. Wiz’s reporting on TeamPCP2 documents a broader PyPI campaign; this was not an isolated package compromise.
The harder lesson concerns target classification. Most security teams would not score an AI contractor-screening platform as a critical-risk vendor. But any platform that combines identity verification with biometric collection is a high-value target: a successful breach yields a weaponizable training set, not just a record dump. The attacker value scales with the platform’s own quality controls.
Enterprise security teams that rely on AI staffing or screening platforms should be asking: what biometric data is retained post-screening, how long it is kept, whether voice or video recordings are stored alongside identity documents, and what the supply chain looks like for any LLM routing tooling in those platforms’ stacks. Those questions were available before April 4.
Frequently Asked Questions
Can these samples produce Professional Voice Cloning quality, or only Instant Voice Cloning tier?
ElevenLabs’ Professional Voice Cloning reaches optimal fidelity at 2-3 hours of source audio, with a 30-minute minimum. The 2-5 minute extracted samples clear Instant Voice Cloning but fall well below the professional tier. Even the full 20-minute interview recordings before audio extraction would not meet the PVC floor. The practical ceiling is high-quality instant cloning—convincing in short bursts, but potentially detectable in extended or high-stakes conversations where prosodic consistency matters.
Did TeamPCP compromise other packages besides LiteLLM?
Yes. KrebsOnSecurity documented TeamPCP in March 2026 running a sustained PyPI credential-theft campaign targeting multiple open-source AI tooling packages, not just LiteLLM. Organizations running any Python AI/ML dependencies that rotated credentials or changed maintainers in early 2026 should treat those environments as potentially compromised, not limit their audit to LiteLLM builds 1.82.7-1.82.8 alone.
Would deleting recordings after screening have prevented the voice-clone risk?
Retention duration is the deciding control. If voice and facial geometry recordings were purged after screening decisions were made, the breach would still have exposed identity documents but not the biometric-identity pairing that produces weaponizable impersonation kits. Any platform that combines identity verification with biometric collection faces the same structural risk regardless of access controls; the data should not coexist in the same system once the verification step is complete.
Could the facial geometry data be combined with voice samples for video deepfakes?
The dataset includes all three inputs needed for multi-modal impersonation: facial geometry, clean voice audio, and government IDs for the same individuals. This enables synchronized video deepfakes paired with cloned audio—something a voice-only or ID-only leak cannot produce. Real-time deepfake video calling a target’s colleague or HR department, backed by matching ID details, represents a higher-fidelity attack than voice cloning alone and is substantially harder to challenge through standard verification questions.