Signal

TeamPCP threat actors expand supply chain attacks to AWS environments

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-31 21:00 UTCUpdated 2026-04-01 15:46 UTC

rss

cveexploitsbreachesmalwarethreat_actorssecurity_tooling

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

AWS environments targeted by TeamPCP

SC Media · News · scworld.com · 2026-04-01 15:46 UTC

TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows, (Wed, Apr 1st)

SANS Internet Storm Center (Handler's Diary) · News · isc.sans.edu · 2026-04-01 13:08 UTC

limited source diversity in top sources

View all evidence

Overview

The TeamPCP threat group, also known as PCPcat, DeadCatx3, and ShellForce, continues its supply chain campaign by leveraging stolen credentials from attacks on Trivy, LiteLLM, and Telnyx.

Entities

TrivyLiteLLMTelnyxDatabricksAstraZenecaAWSTeamPCPPCPcat

Score total

0.83

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

Recent intelligence updates provide first confirmed victim disclosures and detailed cloud enumeration activities by TeamPCP.
The expansion of TeamPCP's operations into AWS environments signals an escalation in their attack capabilities.
Ongoing investigations into related ransomware operations and data leaks highlight the evolving threat landscape tied to this campaign.

Why it matters

TeamPCP's supply chain attacks demonstrate the risk of compromised software dependencies leading to cloud environment breaches.
Compromise of AWS environments can result in significant data theft and operational disruption for affected organizations.
Understanding post-compromise activities helps defenders improve detection and response strategies against advanced threat actors.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

TeamPCP uses stolen credentials from supply chain attacks to compromise AWS environments and steal data
Recent updates confirm first victim disclosure and document post-compromise cloud enumeration by TeamPCP

How sources frame it

SC Media: neutral
SANS Internet Storm Center: neutral

Consolidated recent updates on TeamPCP's supply chain campaign reveal expanded cloud targeting and victim disclosures, emphasizing the need for vigilant cloud security monitoring.

All evidence

AWS environments targeted by TeamPCP

SC Media · scworld.com · 2026-04-01 15:46 UTC

TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows, (Wed, Apr 1st)

SANS Internet Storm Center (Handler's Diary) · isc.sans.edu · 2026-04-01 13:08 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

SC Media (1)
SANS Internet Storm Center (Handler's Diary) (1)

Top origin domains (this list)

scworld.com (1)
isc.sans.edu (1)