**TeamPCP Supply Chain Campaign Update: Databricks Under Investigation, Dual Ransomware Operations, and AstraZeneca Data Released**

The TeamPCP supply chain campaign continues to wreak havoc on organizations worldwide, with a new development that has major implications for cybersecurity professionals. In this update, we'll delve into the latest intelligence on the campaign, including an alleged security compromise at Databricks, dual ransomware operations, and the release of AstraZeneca data.

**Databricks Investigating Alleged Compromise Linked to TeamPCP Credential Harvest**

According to reports from CybersecurityNews and International Cyber Digest, Databricks, a cloud data analytics platform, is investigating an alleged security compromise linked to TeamPCP's credential harvest. Screenshots showing AWS artifacts, CloudFormation dumps, and STS tokens "match TeamPCP's exact playbook," suggesting that the breach may be connected to the group's operations.

This development is significant, as it would mark the first major cloud platform identified as a downstream victim of TeamPCP's credential trove. While Databricks has not issued an official statement, analysts assess that if confirmed, this would represent the monetization of TeamPCP's pool against an enterprise target processing sensitive data across AWS, GCP, and Azure.

**TeamPCP Operates Dual Ransomware Tracks - CipherForce Is Their Own Operation**

In a new revelation, intelligence reveals that TeamPCP operates under five confirmed aliases: PCPcat, ShellForce, DeadCatx3, CipherForce, and Persy_PCP. TeamPCP's own Telegram channel states that CipherForce is a newer project they are starting to find affiliates for, indicating that the group runs two parallel ransomware tracks simultaneously.

This dual-track approach allows TeamPCP to maintain direct control over high-value targets (via CipherForce) while flooding the ecosystem with mass affiliate operations (via Vect). Analysts assess that the 300 GB stolen credential trove can feed both tracks simultaneously, making it essential for detection teams to monitor for Vect ransomware indicators and add CipherForce to their watchlist.

**LAPSUS$/AstraZeneca Breach: Data Released After Failed Sale Attempt**

The LAPSUS$/AstraZeneca breach claim has escalated, with Cybernews and Cybersecurity Insiders reporting that AstraZeneca has still not issued any public statement confirming or denying the breach. Analysts assess that AstraZeneca's continued silence creates increasing regulatory exposure with each passing day.

Organizations should treat this as a probable confirmed breach for defensive planning purposes. If your organization shares integrations, data, or credentials with AstraZeneca, assess whether the exposed repository structures and configurations could affect your security posture.

**ownCloud Discloses Build Infrastructure Impact From CVE-2026-33634**

ownCloud has published a security notice confirming that their build infrastructure was affected by CVE-2026-33634 (the Trivy compromise). The disclosure is notable for its transparency, as most affected organizations have remained silent despite the CISA KEV entry and federal remediation deadline of April 8.

Organizations using ownCloud should review the security notice and verify their deployments are using images produced after the remediation. More broadly, ownCloud's disclosure should prompt other organizations that used Trivy in their build pipelines between March 19-22 to conduct their own impact assessments and consider similar disclosure.

**Campaign Transitions to Three Parallel Monetization Tracks**

While supply chain poisoning has paused, TeamPCP is not dormant. Analysts assess that the group has completed its supply chain expansion phase and transitioned fully to credential exploitation and monetization. Three distinct operational tracks are now running simultaneously:

* Direct credential exploitation against high-value targets * Proprietary ransomware via CipherForce * Mass affiliate ransomware via Vect/BreachForums

Detection teams monitoring for Vect ransomware indicators should also add CipherForce to their watchlist, as the shared RSA-4096 public key embedded in payloads is the strongest attribution link across all TeamPCP operations.

**Conclusion**

The TeamPCP supply chain campaign continues to evolve, with a new development that has significant implications for cybersecurity professionals. The alleged security compromise at Databricks, dual ransomware operations, and release of AstraZeneca data highlight the importance of monitoring for TeamPCP's TTPs and maintaining awareness of the group's activities.

As the campaign transitions to three parallel monetization tracks, detection teams must remain vigilant in monitoring for Vect ransomware indicators and adding CipherForce to their watchlist. Organizations should treat this as a probable confirmed breach for defensive planning purposes and assess whether their deployments are using images produced after the remediation.

Stay informed about the latest developments on the TeamPCP supply chain campaign by following our updates, and remember to take proactive measures to protect your organization from these emerging threats.

**Recommended actions:**

* Monitor for an official statement from Databricks regarding the alleged compromise * Use this supply chain pause as a remediation window to complete credential rotations and IOC sweeps before the CISA KEV deadline of April 8 * Treat AstraZeneca's continued silence as a probable confirmed breach for defensive planning purposes * Add CipherForce to your watchlist if you're monitoring for Vect ransomware indicators * Verify your deployments are using images produced after the remediation