**TeamPCP Supply Chain Campaign: Update 004 - The Evolution of a Threat**

The TeamPCP supply chain campaign continues to evolve, with new developments and revelations emerging every day. In this update, we'll cover the latest intelligence on Databricks' alleged compromise, TeamPCP's dual ransomware operations, and the release of AstraZeneca data.

**Databricks Investigating Alleged Compromise Linked to TeamPCP Credential Harvest**

Databricks, a cloud data analytics platform, is investigating an alleged security compromise linked to the TeamPCP credential harvest. CybersecurityNews reports that Databricks has been notified about the potential breach and is scaling up its investigation efforts. International Cyber Digest stated on X that they "notified them last week" and Databricks "scaled up to investigate." A separate analyst corroborated that screenshots showing AWS artifacts, CloudFormation dumps, and STS tokens "match TeamPCP's exact playbook."

If confirmed, this would be the first major cloud platform identified as a downstream victim of TeamPCP's credential trove - distinct from the security tool vendors (Aqua, Checkmarx, BerriAI, Telnyx) directly compromised in the supply chain phase. The distinction matters: tool vendor compromises expanded TeamPCP's credential pool, while a Databricks compromise would represent the monetization of that pool against an enterprise target processing sensitive data across AWS, GCP, and Azure.

**TeamPCP Operates Dual Ransomware Tracks**

Update 002 documented TeamPCP's partnership with the Vect ransomware-as-a-service operation and BreachForums mass affiliate key distribution. New intelligence reveals that Vect is not TeamPCP's only ransomware channel. According to Flare and corroborated by Rami McCarthy's IOC tracker, TeamPCP operates under five confirmed aliases: PCPcat, ShellForce, DeadCatx3, CipherForce, and Persy_PCP.

TeamPCP's own Telegram channel states: "you may already know us as TeamPCP or Shellforce... CipherForce is a newer project we are starting to find affiliates." CipherForce is TeamPCP's own ransomware operation, separate from the Vect partnership. This means TeamPCP is running two parallel ransomware tracks simultaneously: their proprietary CipherForce program for direct operations, and the mass Vect affiliate program via BreachForums for distributed operations.

**LAPSUS$ Releases AstraZeneca Data Free After Failed Sale Attempt**

The LAPSUS$/AstraZeneca breach claim documented in Updates 002-003 has escalated. Cybernews and Cybersecurity Insiders report two developments: AstraZeneca has still not issued any public statement confirming or denying the breach at approximately 96 hours since the initial claim.

Analysts assess that AstraZeneca's continued silence, combined with GDPR obligations if EU employee data is in the dump, creates increasing regulatory exposure with each passing day. Organizations should treat this as a probable confirmed breach for defensive planning purposes. If your organization shares integrations, data, or credentials with AstraZeneca, assess whether the exposed repository structures and configurations could affect your security posture.

**ownCloud Discloses Build Infrastructure Impact From CVE-2026-33634**

ownCloud published a security notice confirming their build infrastructure - the systems producing container images and client binaries - was affected by CVE-2026-33634 (the Trivy compromise). ownCloud confirms: no customer data compromised, no source code altered, impact limited to build systems only.

This is one of the first named downstream organizations to publicly disclose that they were in the blast radius of the Trivy supply chain compromise. The disclosure is notable for its transparency - most affected organizations have remained silent despite the CISA KEV entry and federal remediation deadline of April 8.

**Supply Chain Pause Extends Past 96 Hours**

No new package compromises across any ecosystem have been publicly reported since the Telnyx PyPI disclosure on March 27, extending the supply chain pause documented in Update 003 past 96 hours. This is the longest quiet period since TeamPCP began active supply chain operations on March 19.

**Campaign Transitions to Three Parallel Monetization Tracks**

While supply chain poisoning has paused, TeamPCP is not dormant. Analysts assess the group has completed its supply chain expansion phase and transitioned fully to credential exploitation and monetization. Three distinct operational tracks are now running simultaneously:

* Direct credential exploitation against high-value targets - the Databricks investigation represents the first alleged downstream victim of the ~300 GB stolen credential trove, distinct from the tool vendors directly compromised in the supply chain phase. * Proprietary ransomware via CipherForce - TeamPCP's own ransomware operation, with recruitment via their Telegram channel. No confirmed deployments yet, but the infrastructure and affiliate recruitment are active. * Mass affiliate ransomware via Vect/BreachForums - Distributed operations leveraging the BreachForums mass affiliate key distribution documented in Update 002.

**Conclusion**

The TeamPCP supply chain campaign continues to evolve, with new developments and revelations emerging every day. It's essential for organizations to stay informed and take necessary measures to protect themselves against these threats.

Recommended actions:

* Monitor Databricks' official statement regarding the alleged compromise. * Use this supply chain pause as a remediation window and complete credential rotations and IOC sweeps before the CISA KEV deadline of April 8, 2026. * Detection teams monitoring for Vect ransomware indicators should also add CipherForce to their watchlist. * Organizations sharing integrations, data, or credentials with AstraZeneca should assess whether the exposed repository structures and configurations could affect their security posture.