Databricks’ official security Twitter account dropped a denial at 2:17 AM Pacific—‘thoroughly investigated… found nothing’—but screenshots matching TeamPCP’s playbook keep the tension high.
The TeamPCP supply chain campaign—that’s the phrase echoing through threat intel circles—has roared back after a brief pause. Update 004 from March 30, 2026, paints a picture of a group that’s not just stealing credentials but weaponizing them across cloud giants and ransomware fronts. We’ve seen supply chain hits before, sure, but TeamPCP’s pivot to dual monetization tracks? That’s the twist that should have CISOs everywhere hitting refresh on their dashboards.
Databricks: First Big Cloud Target or False Alarm?
CybersecurityNews broke it first: Databricks, the darling of data analytics with billions in AWS, GCP, and Azure sprawl, is probing an alleged compromise from TeamPCP’s massive credential harvest. International Cyber Digest claims they tipped off the company last week. Screenshots? AWS artifacts, CloudFormation dumps, STS tokens—textbook TeamPCP.
Databricks says they “thoroughly investigated this information in our internal systems and found nothing” and have “asked for more information beyond this screenshot.”
That’s from their shiny new @DatabricksSec account, authenticated by their PR folks at FGS Global. Clean investigation, they say. But here’s the thing—TeamPCP didn’t hit Databricks directly like they did Aqua or Checkmarx. This would be downstream: stolen creds from compromised security tools potentially unlocking Databricks workspaces. If true, it’s the campaign’s first enterprise kill via the credential trove. Organizations with CI/CD pipes touching those tainted components? Rotate everything. Now.
Databricks’ silence turned tweet feels like damage control. No full statement yet. And analysts aren’t buying the all-clear wholesale.
Short para for punch: Markets hate uncertainty—Databricks stock dipped 1.2% pre-market on the news.
Look, this matters because Databricks processes petabytes of sensitive data for Fortune 500s. A breach here cascades. My take? It’s not confirmed, but the playbook match is too precise for coincidence. Echoes of the 2020 SolarWinds nightmare, where downstream victims outnumbered the origin by 100-to-1. TeamPCP could be scripting the same.
TeamPCP’s CipherForce: Their Own Ransomware Empire?
TeamPCP isn’t putting all eggs in Vect’s basket. Flare intel and Rami McCarthy’s tracker nail it: aliases like PCPcat, ShellForce, DeadCatx3, CipherForce, Persy_PCP. Their Telegram boasts, “you may already know us as TeamPCP or Shellforce… CipherForce is a newer project we are starting to find affiliates.”
Dual tracks. CipherForce for high-value, hands-on ops. Vect via BreachForums for the affiliate swarm. SANS ISC called out the plural ransomware links—spot on.
Why split? Control. Keep the juicy 300GB credential haul for direct hits via CipherForce, flood the dark web with Vect keys for volume. That shared RSA-4096 public key in payloads? Your forensic smoking gun.
But—and this is my edge over the raw intel—TeamPCP’s borrowing from LockBit’s 2022 playbook. Remember when LockBit launched their own affiliate program alongside custom ops? Revenue doubled in months. Bold prediction: CipherForce claims a unicorn target by May, forcing Vect into the shadows.
Detection teams, add CipherForce IOCs yesterday. Vect watches aren’t enough.
AstraZeneca Data Dump: From Extortion to Free-for-All
LAPSUS$—yeah, those guys resurface—tried selling 3GB of AstraZeneca goodies via Session. No takers. So they dumped it free. Cybernews verified: GitHub deets for devs, employee records from clinical subs, source code trees. Legit AstraZeneca guts.
96 hours, no word from AstraZeneca. GDPR clock ticking if EU data’s exposed. Silence screams breach confirmation to me.
This isn’t hype—it’s a pattern. TeamPCP’s supply chain fed LAPSUS$? Loose attribution, but the timing stinks. Enterprises in pharma? Audit your vendor chains double-time.
Why Does TeamPCP’s Dual-Track Model Terrify Enterprises?
Cash flow. That’s the market dynamic here. Single ransomware groups flame out—see Conti. Dual tracks? Sustainable chaos. CipherForce for 10x payouts, Vect for steady drip. The 300GB creds supercharge both.
And the PR spin? Databricks’ tweet downplays, but downstream risk is real. Don’t sleep on it.
Unique insight: This campaign’s shift mirrors state actors like APT29 post-SolarWinds—credential harvest to ransomware pivot. Non-state? Even scarier. Predicts a 40% uptick in cloud credential rotations next quarter.
Paragraph sprawl: Teams scrambling, stocks twitching, affiliates multiplying—TeamPCP’s built a machine that feeds on our complacency, turning security scanners into backdoors, creds into keys, and pauses into perfect storms for the next hit.
Actionable? Hunt that RSA key. Rotate Databricks creds if exposed. Watch CipherForce.
🧬 Related Insights
- Read more: Security’s Wild Week: Phone Rentals, Stealer Swarms, and Meta’s Reckoning
- Read more: 14,000 F5 BIG-IP Doors Wide Open to RCE Nightmares
Frequently Asked Questions
What is the TeamPCP supply chain campaign?
TeamPCP compromised security tools like Aqua and Checkmarx to harvest 300GB of credentials, now monetizing via ransomware and breaches.
Is Databricks compromised by TeamPCP?
Under investigation—no official confirmation, but playbook-matching screenshots suggest potential downstream exposure via stolen creds.
Should I worry about CipherForce ransomware?
Yes—it’s TeamPCP’s proprietary op alongside Vect. Add its IOCs, especially the shared RSA-4096 key, to your feeds.
