A supply-chain attack on an open-source AI tool has left Mercor, the $10 billion startup fueling models for OpenAI, Anthropic, and Meta, exposed. Hackers snatched 4 terabytes of contractor data—voice samples, passports, facial scans, source code. Lapsus$ posted it on their leak site April 4, 2026. Within days, lawsuits piled up. Contractors claim Mercor hoarded their biometrics without clear warnings. The breach started March 27. TeamPCP compromised LiteLLM, a proxy downloaded millions of times daily for routing calls to large language models. For 40 minutes, two versions harbored credential-stealing malware. It grabbed SSH keys, cloud tokens, everything in .env files. Attackers pivoted. Lateral movement through infected systems. Mercor got hit hard. TechCrunch broke the confirmation March 31. Mercor told staff and posted on LinkedIn and X: “We recently identified that we were one of thousands of companies impacted by a supply chain attack involving LiteLLM.” TechCrunch . But the damage ran deeper.…