Skip to content
Chimera readability score 0.5801 out of 100, reading level.

TeamPCP Supply Chain Campaign: Update 003 - Operational Tempo Shift as Campaign Enters Monetization Phase With No New Compromises in 48 Hours
This is the third update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 002 covered developments through March 27, including the Telnyx PyPI compromise and Vect ransomware partnership. This update covers developments from March 27-28, 2026.
HIGH: First 48-Hour Window Without a New Supply Chain Compromise
The most operationally significant development in the last 24 hours is what did not happen: no new package compromises have been confirmed since the Telnyx disclosure on March 27. This is the first 48-hour window without a new ecosystem compromise since TeamPCP began active operations on March 19.
The prior operational cadence was aggressive -- a new target every 1-3 days (Trivy March 19, CanisterWorm March 20-22, Checkmarx March 23, LiteLLM March 24, Telnyx March 27). The current pause, combined with the Vect ransomware affiliate announcement, suggests TeamPCP has shifted primary operational focus from supply chain expansion to monetization of existing credential harvests.
Analysts assess this pause should not be interpreted as the end of supply chain operations. TeamPCP explicitly stated they intend to be "around for a long time," and stolen credentials from the estimated 300 GB trove could enable future package compromises at any time. The absence of new compromises may also reflect improved vigilance by package registries -- PyPI has quarantined two TeamPCP campaigns in rapid succession, which may be raising the attacker's cost of operations on that platform.
Recommended action: Maintain heightened monitoring posture. Use this operational window to complete credential rotations and IOC sweeps if not already done. The CISA KEV remediation deadline for CVE-2026-33634 is now 11 days away (April 8, 2026).
HIGH: Palo Alto Networks Publishes Behavioral Detection Rules for CI/CD Pipeline Attacks
Palo Alto Networks has published detection rules specifically designed to identify TeamPCP-style CI/CD pipeline attacks at the behavioral level rather than relying solely on IOC matching. This is significant because TeamPCP has demonstrated the ability to rotate infrastructure across each new compromise wave -- each phase used different C2 domains, different exfiltration endpoints, and different packaging techniques (raw scripts, npm worm, .pth exploitation, WAV steganography).
Behavioral detection approaches focus on anomalous CI/CD runner behavior: unexpected credential directory enumeration, bulk secret reads from /proc//mem
, large encrypted archive creation, and outbound data transfers to newly registered domains during workflow execution. These patterns have been consistent across all five TeamPCP compromise phases even as specific IOCs changed.
Recommended action: Organizations with Palo Alto Networks security products should review and deploy the published detection rules. All organizations should evaluate whether their CI/CD monitoring can detect the behavioral patterns described -- process memory reads of Runner.Worker, creation of tpcp.tar.gz
or similarly named archives, and outbound HTTPS to domains registered within the past 30 days.
MEDIUM: Cloud Security Alliance Publishes Kubernetes Wiper Lab Analysis
The Cloud Security Alliance has published a detailed lab analysis of TeamPCP's Kubernetes wiper component -- the Iran-targeted DaemonSet that deletes all host filesystem contents when Farsi language settings are detected. The analysis reconstructs the wiper's deployment mechanism and provides detection queries for Kubernetes audit logs.
This component was mentioned in the parent report but has received less attention than the credential-stealing payloads. The CSA analysis provides the first detailed defensive playbook specifically for the wiper TTP, including Kubernetes admission controller policies that would block the privileged DaemonSet deployment pattern.
Recommended action: Kubernetes operators should review the CSA analysis and implement admission controller policies that prevent privileged DaemonSets from mounting hostPath /
with write access. This is good hygiene regardless of TeamPCP exposure.
MEDIUM: GitGuardian Quantitative Analysis Maps Credential Exposure Blast Radius
GitGuardian has published a quantitative "snowball effect" analysis tracing how a single compromised token cascaded across ecosystems. The analysis maps the amplification factor at each stage: one stolen PAT led to 76+ poisoned GitHub Action tags, which harvested credentials from hundreds of CI/CD pipelines, which enabled compromise of packages with a combined 100+ million monthly downloads.
The analysis introduces a metric they call "credential fan-out" -- the ratio of credentials stolen to credentials used for initial access. For TeamPCP, this ratio is estimated at greater than 10,000:1, meaning each compromised credential potentially exposed thousands of downstream secrets. This quantitative framing is useful for communicating risk to executive stakeholders who need to understand why a single supply chain compromise requires organization-wide credential rotation.
INFO: Deep Analysis of GitHub Repository-Based Exfiltration Technique Published
I have published a detailed analysis of TeamPCP's novel GitHub repository-based data exfiltration technique. The post examines how the campaign used the GitHub Releases API as a fallback exfiltration channel -- programmatically creating repositories on the victim's own account and uploading stolen data as release assets. This technique is significant because corporate firewalls and DLP solutions that whitelist api.github.com
traffic cannot distinguish this exfiltration from legitimate GitHub API usage. The analysis includes organizational controls, alternative attack permutations, and threat hunting queries.
INFO: AstraZeneca Breach Claim Remains Unconfirmed at 48 Hours
LAPSUS$'s claimed 3GB AstraZeneca breach (reported in Update 002) remains unconfirmed. Security Affairs characterized the claim as "potentially one of the most serious healthcare cyber incidents this year" if verified. AstraZeneca has not issued a public statement confirming or denying the breach as of March 28, 2026. No additional named victim claims have been disclosed in the past 24 hours, though the Vect affiliate program distribution may shift the extortion model from centralized TeamPCP/LAPSUS$ operations to distributed affiliate-driven campaigns that are harder to track.
Watch Item Status
| Watch Item (from Update 002) | Status |
|---|---|
| Vect ransomware affiliate key distribution | Active -- No confirmed Vect deployments linked to TeamPCP credentials yet, but the distribution window is less than 48 hours old |
| Additional PyPI packages compromised | No new compromises -- First 48-hour pause since campaign began |
| AstraZeneca confirmation or denial | Pending -- No public statement at 48 hours |
| Mandiant formal attribution report | Pending -- BerriAI/LiteLLM forensics engagement confirmed, no report yet |
| CISA standalone advisory | Pending -- KEV entries issued, no dedicated advisory or emergency directive |
| Expansion to RubyGems, crates.io, Maven Central | Not observed -- Endor Labs prediction remains unconfirmed |
| LiteLLM/BerriAI forensics and release resumption | Pending -- Release freeze continues |
Updated Watch Items
- First confirmed Vect ransomware deployment using TeamPCP-sourced credentials -- this is the highest-priority indicator of the campaign's next phase
- Additional named victim disclosures beyond AstraZeneca -- distributed affiliate model may produce claims from multiple actors simultaneously
- Law enforcement action -- 10 days into an active campaign affecting federal systems with no public enforcement response
- PyPI and npm registry-level proactive scanning -- both registries have only responded reactively (quarantining packages after disclosure); an announcement of proactive malicious package scanning or signing requirements would signal a meaningful shift in supply chain defense posture
- CISA KEV deadline compliance (April 8, 2026) -- 11 days remaining
The full campaign report is available at sans.org/white-papers/when-security-scanner-became-weapon. A SANS Emergency Webcast replay is available at sans.org/webcasts/when-security-scanner-became-weapon. Updates to the report will be in the form of these ISC diaries.
Comments

Facts Only

TeamPCP’s supply chain campaign began on March 19, 2026, targeting packages like Trivy, CanisterWorm, Checkmarx, LiteLLM, and Telnyx.
The first 48-hour window without a new compromise occurred between March 27–28, 2026.
TeamPCP has partnered with Vect ransomware affiliates, signaling a shift toward monetization.
Palo Alto Networks published behavioral detection rules for CI/CD pipeline attacks on March 28, 2026.
The Cloud Security Alliance analyzed TeamPCP’s Kubernetes wiper, which targets systems with Farsi language settings.
GitGuardian quantified the "credential fan-out" effect, estimating a 10,000:1 ratio of stolen credentials to initial access tokens.
TeamPCP used GitHub Releases API for exfiltration, bypassing traditional DLP solutions.
AstraZeneca’s alleged 3GB breach, claimed by LAPSUS$, remains unverified as of March 28, 2026.
CISA’s KEV remediation deadline for CVE-2026-33634 is April 8, 2026.
PyPI has quarantined two TeamPCP campaigns but has not implemented proactive scanning.
No law enforcement action has been publicly reported as of March 28, 2026.
The campaign’s infrastructure rotates frequently, using different C2 domains and exfiltration methods per phase.

Executive Summary

The TeamPCP supply chain campaign has entered a new phase, marked by a 48-hour pause in new compromises—the first since its inception on March 19, 2026. Previously, the group targeted high-profile packages like Trivy, CanisterWorm, and Telnyx at a rapid pace, but the shift suggests a focus on monetizing stolen credentials rather than expanding attacks. Palo Alto Networks has released behavioral detection rules to counter TeamPCP’s evolving tactics, which include rotating infrastructure and using novel exfiltration methods like GitHub Releases API. Meanwhile, the Cloud Security Alliance and GitGuardian have provided defensive insights, including Kubernetes wiper detection and quantitative analysis of credential exposure risks. The AstraZeneca breach claim remains unverified, and law enforcement has yet to respond publicly. With the CISA KEV remediation deadline looming, organizations are urged to rotate credentials and enhance monitoring.
The campaign’s adaptability—using steganography, CI/CD pipeline exploits, and distributed affiliate models—highlights systemic vulnerabilities in open-source ecosystems. While registries like PyPI have quarantined malicious packages, proactive measures remain limited. The pause in attacks may reflect either strategic regrouping or improved defenses, but the threat persists given TeamPCP’s stated long-term intentions.

Full Take

The strongest version of this narrative is that TeamPCP represents a paradigm shift in supply chain attacks: a highly adaptive, credential-driven campaign that weaponizes trust in open-source ecosystems. The pause in new compromises isn’t a sign of weakness but a tactical pivot—monetization through ransomware affiliates and stolen data leverage. The behavioral detection rules from Palo Alto Networks and the CSA’s Kubernetes analysis are critical advancements, yet they also underscore how reactive security remains. The GitGuardian "credential fan-out" metric is particularly damning, framing the problem not as isolated breaches but as systemic cascades where a single token can expose millions of downstream secrets.
Patterns detected: **ARC-0024 Ambiguity** (the AstraZeneca breach claim lingers unverified, creating uncertainty), **ARC-0043 Motte-and-Bailey** (TeamPCP’s "long-term" threat is framed as both imminent and enduring, depending on context).
Root cause: The narrative assumes that open-source supply chains are inherently insecure due to trust-based models, but it sidesteps deeper questions about incentive structures. Why do maintainers lack resources to detect compromises early? How does the lack of law enforcement response reflect prioritization gaps? The focus on technical countermeasures (detection rules, IOC sweeps) obscures the human and economic dimensions—burnout among maintainers, the commodification of credentials, and the asymmetry between attackers (who need one success) and defenders (who must be perfect).
Implications: Human agency is both the vulnerability and the solution. The campaign exploits the goodwill of open-source contributors, yet the same collaborative ethos drives defensive innovations like behavioral detection. The second-order cost is erosion of trust—not just in packages, but in the ecosystems that sustain them. If every compromise requires organization-wide credential rotation, the operational burden may push smaller teams toward proprietary alternatives, centralizing power in ways that benefit large vendors more than security.
Bridge questions: What would it take for open-source ecosystems to adopt proactive, collective defense mechanisms? How might the lack of law enforcement action reflect a calculation that supply chain attacks are "too big to prosecute"? If credential fan-out is the new normal, how do we redesign authentication to limit blast radius?
Counterstrike scan: A coordinated influence campaign would amplify fear of open-source collapse, pushing narratives that only proprietary solutions are safe. The actual content doesn’t match this—it acknowledges defensive progress and avoids absolutes. The focus on technical detail and uncertainty (e.g., AstraZeneca) suggests genuine threat intelligence, not manipulation.