TeamPCP Supply Chain Attack Allegedly Compromised Databricks Platform

Home Cyber Security TeamPCP Supply Chain Attack Allegedly Compromised Databricks Platform Databricks is currently investigating an alleged security compromise connected to the massive TeamPCP software supply chain attack after being alerted by threat intelligence researchers. According to International Cyber Digest, Databricks was notified of the potential breach last week. The organization reportedly took the alert seriously, scaling up its incident response teams immediately to investigate the claims. While the extent of the alleged compromise remains unconfirmed, Databricks has yet to release an official statement regarding the findings. This development closely follows Databricks’ recent expansion into the cybersecurity sector with the launch of its AI-driven Lakewatch security platform. 🚨‼️ BREAKING: DATABRICKS ALLEGEDLY COMPROMISED IN A TEAMPCP SUPPLY CHAIN ATTACK. DATABRICKS IS THE LEADING CLOUD-BASED DATA ANALYTICS PLATFORM: USED BY ORGANIZATIONS WORLDWIDE TO MANAGE MASSIVE DATASETS. WE NOTIFIED THEM LAST WEEK. THEY SCALED UP TO INVESTIGATE. WE HAVEN'T… PIC.TWITTER.COM/NCRJECLOJJ — International Cyber Digest (@IntCyberDigest) March 30, 2026 TeamPCP Attack Methodology The TeamPCP threat group, also tracked as PCPcat and ShellForce, initiated a sprawling supply chain campaign in March 2026 that successfully breached five major ecosystems, including GitHub Actions, Docker Hub, PyPI, NPM, and OpenVSX. The threat actors targeted security-adjacent developer tools such as Aqua Security’s Trivy, Checkmarx infrastructure-as-code scanners (KICS), and the LiteLLM AI proxy. By poisoning trusted software repositories and CI/CD pipelines, TeamPCP distributed a sophisticated credential harvester known as the TeamPCP Cloud stealer, tracked under CVE-2026-33634. The malware is specifically designed to siphon environment variables, Kubernetes configurations, and cloud tokens across major providers like AWS, Google Cloud, and Microsoft Azure exposed during automated build processes. During execution, the payload typically retrieves subsequent stages from malicious domains via major JavaScript package managers. Harvested secrets are encrypted and exfiltrated as compressed archives, with the threat actors actively utilizing vendor-specific typosquatting and fallback GitHub repositories to evade detection. Mitigations Organizations using affected security scanners or platforms connected to the TeamPCP supply chain web must assume potential credential exposure. Security teams are advised to immediately rotate all secrets, tokens, and cloud credentials that were accessible to CI runners during the impact window. Furthermore, administrators should audit their GitHub Actions workflow logs for any unauthorized outbound traffic to known malicious domains or references to the exfiltration archives. Identifying unauthorized repository creation, particularly those utilizing the threat actor’s fallback naming conventions, remains a critical detection mechanism for compromised environments. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Critical n8n Vulnerability Let Attackers Achieve Remote Code Execution Cyber Security News Critical Fortinet Forticlient EMS Vulnerability Exploited in Attacks Cyber Security India Set to Ban Sale of Hikvision, TP-Link, CCTV Products From April Top 10 10 Best Spam Filter Tools 2026 March 30, 2026 10 Best Log Monitoring Tools in 2026 March 30, 2026 10 Best Fraud Detection Tools in 2026 March 30, 2026 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026