**TeamPCP Supply Chain Campaign: Update 004 - Databricks Investigating Alleged Compromise, TeamPCP Runs Dual Ransomware Operations**
The TeamPCP supply chain campaign has taken a turn for the worse, with new developments emerging every day. In this update, we'll cover the alleged compromise of cloud data analytics platform Databricks, TeamPCP's dual ransomware operations, and the release of AstraZeneca data by LAPSUS$.
**Databricks Investigating Alleged Compromise Linked to TeamPCP**
According to CybersecurityNews, Databricks is investigating an alleged security compromise linked to the TeamPCP credential harvest. International Cyber Digest reported that they notified Databricks last week and the company scaled up its investigation. Analysts have corroborated that screenshots showing AWS artifacts, CloudFormation dumps, and STS tokens match TeamPCP's exact playbook.
If confirmed, this would be the first major cloud platform identified as a downstream victim of TeamPCP's credential trove - distinct from the security tool vendors (Aqua, Checkmarx, BerriAI, Telnyx) directly compromised in the supply chain phase. The distinction matters: tool vendor compromises expanded TeamPCP's credential pool, while a Databricks compromise would represent the monetization of that pool against an enterprise target processing sensitive data across AWS, GCP, and Azure.
Databricks has not issued an official statement, but its Head of Global Communications and external PR agency FGS Global have confirmed the authenticity of the new @DatabricksSec X account. They stated they "thoroughly investigated this information in our internal systems and found nothing" and have "asked for more information beyond this screenshot." Recommended action: Organizations using Databricks should monitor for an official statement. If your CI/CD pipelines were exposed to any TeamPCP-compromised component AND those pipelines had access to Databricks credentials, treat those credentials as potentially compromised regardless of whether Databricks confirms the breach.
**TeamPCP Operates Dual Ransomware Tracks - CipherForce Is Their Own Operation**
Update 002 documented TeamPCP's partnership with the Vect ransomware-as-a-service operation and BreachForums mass affiliate key distribution. New intelligence reveals that Vect is not TeamPCP's only ransomware channel. According to Flare and corroborated by Rami McCarthy's IOC tracker, TeamPCP operates under five confirmed aliases: PCPcat, ShellForce, DeadCatx3, CipherForce, and Persy_PCP.
TeamPCP's own Telegram channel states: "you may already know us as TeamPCP or Shellforce... CipherForce is a newer project we are starting to find affiliates." CipherForce is TeamPCP's own ransomware operation, separate from the Vect partnership. This means TeamPCP is running two parallel ransomware tracks simultaneously: their proprietary CipherForce program for direct operations, and the mass Vect affiliate program via BreachForums for distributed operations.
The SANS ISC Stormcast for March 30 also notes "more and more links between the TeamPCP crew and various ransomware actors" -- plural -- consistent with this dual-track model. Analysts assess this dual-track approach allows TeamPCP to maintain direct control over high-value targets (via CipherForce) while simultaneously flooding the ecosystem with mass affiliate operations (via Vect). The 300 GB stolen credential trove can feed both tracks simultaneously.
Recommended action: Detection teams monitoring for Vect ransomware indicators should also add CipherForce to their watchlist. The strongest attribution link across all TeamPCP operations is a shared RSA-4096 public key embedded in payloads -- search for this key in forensic artifacts from any suspected TeamPCP exposure.
**LAPSUS$ Releases AstraZeneca Data Free After Failed Sale Attempt**
The LAPSUS$/AstraZeneca breach claim documented in Updates 002-003 has escalated. Cybernews and Cybersecurity Insiders report two developments: AstraZeneca has still not issued any public statement confirming or denying the breach at approximately 96 hours since the initial claim.
Analysts assess that AstraZeneca's continued silence, combined with GDPR obligations if EU employee data is in the dump, creates increasing regulatory exposure with each passing day. Recommended action: Organizations should treat this as a probable confirmed breach for defensive planning purposes. If your organization shares integrations, data, or credentials with AstraZeneca, assess whether the exposed repository structures and configurations could affect your security posture.
Given AstraZeneca's clinical research operations, the dump may contain protected health information (PHI) subject to HIPAA in the US and GDPR in the EU. Organizations with data-sharing agreements with AstraZeneca should evaluate whether their data may be in the exposed archive and prepare breach notification workflows accordingly.
**ownCloud Discloses Build Infrastructure Impact From CVE-2026-33634**
ownCloud published a security notice confirming their build infrastructure -- the systems producing container images and client binaries -- was affected by CVE-2026-33634 (the Trivy compromise). ownCloud confirms: no customer data compromised, no source code altered, impact limited to build systems only.
This is one of the first named downstream organizations to publicly disclose that they were in the blast radius of the Trivy supply chain compromise. The disclosure is notable for its transparency -- most affected organizations have remained silent despite the CISA KEV entry and federal remediation deadline of April 8.
Recommended action: Organizations using ownCloud should review the security notice and verify their deployments are using images produced after the remediation. More broadly, ownCloud's disclosure should prompt other organizations that used Trivy in their build pipelines between March 19-22 to conduct their own impact assessments and consider similar disclosure.
**Supply Chain Pause Extends Past 96 Hours**
No new package compromises across any ecosystem have been publicly reported since the Telnyx PyPI disclosure on March 27, extending the supply chain pause documented in Update 003 past 96 hours. This is the longest quiet period since TeamPCP began active supply chain operations on March 19.
Expanded ecosystem search results (March 30): An independent search of RubyGems, crates.io, and Maven Central -- the three ecosystems identified as plausible expansion targets in Update 003 -- found zero TeamPCP-related IOCs in any of them. The RubyGems, crates.io, and Maven Central watch items remain "Not observed."
While the CanisterWorm's propagation technique is registry-agnostic (any stolen publish token would work), there is no evidence TeamPCP has moved beyond the five confirmed ecosystems (GitHub Actions, PyPI, npm, Docker Hub/GHCR, OpenVSX). Note on sourcing: CybersecurityNews listed "NPM and OpenVSX" alongside the other compromised ecosystems in their Databricks article. These are accurate in the sense that both ecosystems were hit, but they refer to the known CanisterWorm npm worm (March 20, 66+ packages) and the Checkmarx OpenVSX extensions (March 23, ast-results and cx-dev-assist) -- not new compromises.
Recommended action: Use this supply chain pause as a remediation window. The CISA KEV deadline for CVE-2026-33634 is now 9 days away (April 8, 2026). Complete credential rotations and IOC sweeps before the deadline.
**Campaign Transitions to Three Parallel Monetization Tracks**
While supply chain poisoning has paused, TeamPCP is not dormant. Analysts assess the group has completed its supply chain expansion phase and transitioned fully to credential exploitation and monetization. Three distinct operational tracks are now running simultaneously:
1. Direct credential exploitation against high-value targets -- the Databricks investigation (see above) represents the first alleged downstream victim of the ~300 GB stolen credential trove, distinct from the tool vendors directly compromised in the supply chain phase. 2. Proprietary ransomware via CipherForce -- TeamPCP's own ransomware operation, with recruitment via their Telegram channel. No confirmed deployments yet, but the infrastructure and affiliate recruitment are active. 3. Mass affiliate ransomware via Vect/BreachForums -- Distributed operations leveraging the BreachForums mass affiliate key distribution documented in Update 002.
The distinction between these tracks matters for defenders: detection teams monitoring for Vect ransomware indicators should also add CipherForce to their watchlist. The shared RSA-4096 public key embedded in payloads is the strongest attribution link across all TeamPCP operations.
**Cloud Security Alliance Publishes Second Research Note on AI/ML Supply Chain Risk**
The Cloud Security Alliance AI Safety Initiative published a research note on March 29 framing the TeamPCP campaign as a structural shift in adversary methodology -- from opportunistic typosquatting to deliberate pipeline compromise of trusted AI/ML packages. The note assesses that "the economics of targeting high-value AI credential stores are accelerating adversary investment." This is the second CSA publication covering TeamPCP (the first was the Kubernetes wiper lab analysis documented in Update 003) and focuses specifically on the AI/ML ecosystem implications rather than technical TTPs.
In conclusion, the TeamPCP supply chain campaign continues to evolve, with new developments emerging every day. The alleged compromise of Databricks, TeamPCP's dual ransomware operations, and the release of AstraZeneca data by LAPSUS$ all point to a sophisticated and relentless adversary. As defenders, it is essential to stay vigilant and adapt our strategies to counter these evolving threats.