TeamPCP Supply Chain Attacks Pause as Ransomware Focus Intensifies

Severity: Medium (Score: 57.8)

Sources: Isc.Sans.Edu, Feeds2.Feedburner

Summary

TeamPCP, a cybercriminal group, has halted its supply chain attacks for the first time since March 19, 2026. No new compromises have been reported in the last three days, following the malicious release of Telnyx's SDK on March 27. The group previously targeted multiple platforms, including Trivy, CanisterWorm, Checkmarx, and LiteLLM, with a rapid operational cadence of 1-3 days between attacks. Analysts suggest that this pause indicates a shift in focus towards monetizing stolen credentials rather than expanding their supply chain operations. TeamPCP has amassed around 300 GB of stolen data, which could still lead to future compromises. Organizations are advised to maintain heightened monitoring and implement credential rotations. The CISA KEV remediation deadline for CVE-2026-33634 is approaching on April 8, 2026. Detection rules have been published to identify TeamPCP-style attacks at a behavioral level, emphasizing the need for proactive security measures. Key Points: • TeamPCP has paused supply chain attacks for the first time since March 19, 2026. • The group is shifting focus to monetization of stolen credentials rather than new compromises. • Organizations should enhance monitoring and prepare for the CISA KEV deadline for CVE-2026-33634.

Key Entities

• Supply Chain Attack (attack_type)
• Telnyx (company)
• CVE-2026-33634 (cve)
• sans.org (domain)
• CanisterWorm (malware)
• T1195 - Supply Chain Compromise (mitre_attack)
• PyPI (platform)