Breach Disclosures Pile Up in the Wake of TeamPCP's Supply Chain Campaign
The blast radius of TeamPCP's supply chain attacks is growing at an alarming pace, drawing in new victim organizations and, increasingly, rival cybercriminal groups jostling for a share of the stolen data. Two fresh breach disclosures this week have put the escalating crisis in sharp relief.
On Tuesday, April 1, 2026, AI startup Mercor announced via the social media platform X that it was "one of thousands of companies impacted by a supply chain attack involving LiteLLM." Two days later, on Thursday, the EU's Computer Emergency Response Team (CERT-EU) confirmed that a recent intrusion targeting the European Commission's cloud and web infrastructure was linked to the previously reported Trivy supply chain attack — an operation also attributed to TeamPCP.
According to CERT-EU, the European Commission had unknowingly installed a compromised version of Trivy, a widely used open source code-scanning security tool. Threat actors exploited this foothold to harvest credentials and secrets, which they subsequently leveraged to gain access to the organization's Amazon Web Services (AWS) cloud environment.
ShinyHunters and Lapsus$ Claim Stolen Data
Attribution in these incidents has grown increasingly complicated due to the involvement of multiple cybercriminal groups. CERT-EU confirmed that ShinyHunters — a well-known cybercriminal collective — published an exfiltrated data set on its leak site, claiming to have obtained more than 91 GB of sensitive European Commission data, including emails, databases, and confidential documents.
Meanwhile, Lapsus$ — a group associated with both ShinyHunters and the Scattered Spider collective — claimed to possess 4 TB of Mercor's internal data, including nearly a terabyte of the AI company's source code. Dark Reading contacted Mercor for comment on the Lapsus$ claim but received no response before publication.
The involvement of these additional threat actors has muddied the picture for enterprise defenders, who must now contend with overlapping stolen data sets and unclear chains of custody. It has also significantly elevated the overall risk profile of TeamPCP's campaign.
How the Attacks Unfolded: Credentials, Trufflehog, and Cloud Pivots
Cybersecurity vendor Wiz shed further light on TeamPCP's post-compromise playbook in a blog post this week. The company's Customer Incident Response Team (CIRT) reported observing and responding to "multiple attacks" in which TeamPCP actors used stolen credentials and secrets to access victims' AWS, Azure, and software-as-a-service (SaaS) environments.
In several AWS breaches, researchers found that attackers relied on the open source tool Trufflehog to locate and validate stolen credentials. From there, TeamPCP conducted reconnaissance before moving on to exfiltrate data from resources such as S3 buckets and Amazon Elastic Container Service (ECS) instances.
The European Commission breach followed a nearly identical script. After the organization downloaded a compromised version of Trivy, attackers stole an AWS API key that granted them control over AWS accounts. They then used Trufflehog to uncover additional AWS credentials, carried out reconnaissance, and exfiltrated data from the environment.
Speed Is the Real Lesson
Perhaps the most alarming detail from CERT-EU's timeline is the sheer speed of the attack. Threat actors obtained the European Commission's API key on March 19 — the very same day that TeamPCP began distributing compromised versions of Trivy. This was one day before the Trivy supply chain attack became publicly known, and several days before Aqua Security, the maintainer of the open source scanner, officially disclosed the compromise.
Ensar Seker, CISO at SOCRadar, says the pace of exploitation is the critical takeaway from this campaign.
"In practice, the response window is now measured in hours, not days. The biggest mistake would be to remove the malicious package but leave the stolen credentials usable, because by then the attackers may already be operating inside adjacent environments."
Seker recommends that organizations immediately revoke and rotate any exposed secrets, invalidate all tokens, and reissue cloud credentials. Security teams should also review CI/CD runners, inspect GitHub Actions and package publishing workflows, and actively hunt for suspicious activity across cloud and SaaS environments.
Multiple Criminal Groups Converging on the Same Access
The dynamic between TeamPCP and the groups claiming credit for downstream data theft appears to be anything but cooperative. According to an X post associated with TeamPCP, the group is not collaborating with ShinyHunters and is actively at odds with them.
Seker describes the situation as an ecosystem-level convergence rather than a coordinated handoff.
"What we are seeing looks less like a clean handoff between separate groups, and more like a convergence of cybercriminal ecosystems around the same access. At this stage, that does not prove formal operational alignment, but it does strongly suggest that once high-value access or stolen data emerges from a supply chain intrusion, other extortion actors can move in very quickly to amplify pressure, visibility, and potential profit."
In other words, while TeamPCP drove the initial supply chain compromises and credential harvesting, ShinyHunters and Lapsus$ appear to be exploiting the monetization and extortion layer — regardless of whether they obtained the data directly from TeamPCP or through other means.
A New Ransomware Alliance Raises the Stakes
Adding another dimension to an already complex threat landscape, TeamPCP has announced a formal alliance with Vect, an emerging ransomware gang. Tomer Peled, security researcher at Akamai, says this development materially changes the risk calculus for affected organizations.
"The fact that both teams are now working together raises the risk potential significantly. Vect will now have access to potentially millions of victims who can be infected with their ransomware through TeamPCP's RAT."
As Akamai documented in a recent blog post, the compromised Telnyx PyPI package contained a three-stage remote access Trojan (RAT) that grants TeamPCP and Vect actors backdoor access to organizations that downloaded the poisoned SDK.
Peled also warns that the volume of credentials already in TeamPCP's hands means more compromised libraries are likely to surface. "TeamPCP will use their stolen credentials to keep installing their RAT on as many victims as possible," he says.
A Fundamental Shift in How to Think About Supply Chain Risk
Seker argues that the participation of third-party threat groups in this campaign should fundamentally reshape how enterprises assess the risk posed by software supply chain attacks.
"The old assumption was that a software supply chain attack was mainly a downstream integrity problem. What these cases show is that it can become an immediate enterprise breach problem, where compromised packages lead to stolen secrets, cloud access, SaaS exposure, repository cloning, and then possible extortion by additional actors."
For security teams, the message is clear: responding to a poisoned package is only the first step. The window between initial compromise and full credential exploitation is now vanishingly small, and the downstream consequences — ransomware deployment, extortion, and data publication — can arrive from multiple criminal actors simultaneously.
- Immediately revoke and rotate any secrets or credentials that may have been exposed through affected packages.
- Audit CI/CD pipelines and GitHub Actions for signs of tampering or unauthorized access.
- Review cloud environments — including AWS, Azure, and SaaS platforms — for suspicious reconnaissance or exfiltration activity.
- Monitor threat intelligence feeds for any mention of your organization's data on criminal leak sites.
- Assess whether any open source packages in your environment were associated with the LiteLLM or Trivy compromises.
As the TeamPCP situation continues to evolve, the convergence of multiple sophisticated criminal groups around a single supply chain intrusion illustrates just how far the consequences of a single malicious package can reach.
Source: Dark Reading