TeamPCP Supply Chain Attacks Pause as Ransomware Focus Intensifies

TeamPCP Supply Chain Attacks Pause as Ransomware Focus Intensifies

First seen 30 Mar 2026, 16:15 UTC Isc.Sans.EduFeeds2.Feedburner 71% similarity 57.8

Article Content

Browse articles
ThreatCluster

TeamPCP, a cybercriminal group, has halted its supply chain attacks for the first time since March 19, 2026. No new compromises have been reported in the last three days, following the malicious release of Telnyx's SDK on March 27. The group previously targeted multiple platforms, including Trivy, CanisterWorm, Checkmarx, and LiteLLM, with a rapid operational cadence of 1-3 days between attacks. Analysts suggest that this pause indicates a shift in focus towards monetizing stolen credentials rather than expanding their supply chain operations. TeamPCP has amassed around 300 GB of stolen data, which could still lead to future compromises. Organizations are advised to maintain heightened monitoring and implement credential rotations. The CISA KEV remediation deadline for CVE-2026-33634 is approaching on April 8, 2026. Detection rules have been published to identify TeamPCP-style attacks at a behavioral level, emphasizing the need for proactive security measures.

Key Points: • TeamPCP has paused supply chain attacks for the first time since March 19, 2026. • The group is shifting focus to monetization of stolen credentials rather than new compromises. • Organizations should enhance monitoring and prepare for the CISA KEV deadline for CVE-2026-33634.

ThreatCluster AI

Timeline

2026-03-19
TeamPCP began active operations with multiple supply chain attacks.
2026-03-23
CVE-2026-33634 published.
2026-03-25
First public PoC for CVE-2026-33634.
2026-03-26
CVE-2026-33634 added to CISA KEV for active exploitation.
2026-03-27
TeamPCP published malicious versions of Telnyx's SDK on PyPI.
2026-03-30
No new compromises reported for three days.

Community

Browse all →