The impact of TeamPCP's recent supply chain compromises continues to expand across the enterprise field. Following earlier reports of unauthorized code introduced into open-source projects, two affected organizations disclosed related security incidents this week.
On Tuesday, the AI startup Mercor stated on the social media platform X that it was among the companies impacted by a supply chain incident involving LiteLLM. Two days later, the EU's Computer Emergency Response Team (CERT-EU) disclosed that a recent unauthorized access event affecting the European Commission's cloud and web infrastructure stemmed from the previously documented Trivy software supply chain compromise, which is also attributed to TeamPCP. According to CERT-EU, the EC inadvertently installed a modified version of the Trivy code-scanning tool. This installation enabled threat actors to harvest credentials and ultimately access the organization's Amazon Web Services (AWS) environment.
The involvement of third-party extortion groups has complicated the incident response process. CERT-EU confirmed that the cybercriminal group ShinyHunters published an exfiltrated dataset on its leak site, claiming to possess over 91 GB of sensitive EC data, including emails, databases, and confidential documents. Similarly, Lapsus$—a group associated with ShinyHunters and the Scattered Spider collective—claimed to hold 4 TB of Mercor's internal data, including nearly a terabyte of the company's source code. Mercor did not confirm this claim at press time.
It remains unclear exactly how these secondary groups acquired the overlapping data, but security professionals emphasize that organizations must address these converging risks promptly.
Cloud access methodology and credential harvesting
Disclosures including Mercor and the EC align with technical observations that TeamPCP is actively utilizing stolen credentials to access enterprise cloud infrastructure. Wiz noted that its customer incident response team (CIRT) has observed and responded to multiple incidents where TeamPCP actors used harvested secrets and access victims' AWS, Azure, and software-as-a-service (SaaS) environments.
Wiz researchers detailed how threat actors used the TruffleHog open-source tool to discover and validate exposed credentials within AWS environments. Following initial reconnaissance, the actors accessed resources such as S3 buckets and Amazon Elastic Container Service (ECS) instances to exfiltrate data.
CERT-EU outlined a nearly identical sequence in the European Commission incident. After the modified version of Trivy was deployed, unauthorized actors extracted an AWS API key that provided control over AWS accounts. They subsequently used TruffleHog to locate additional credentials, conducted reconnaissance, and exfiltrated data.
The timeline of these events demonstrates a highly compressed response window. According to CERT-EU, threat actors obtained the EC's API key on March 19—the exact day TeamPCP began distributing modified versions of Trivy. This occurred a day before the Trivy compromise was publicly flagged and several days before Aqua Security, the project’s maintainer, issued a formal disclosure.
Ensar Seker, CISO at SOCRadar, notes that speed of execution is the primary takeaway. "In practice, the response window is now measured in hours, not days," Seker says. "The biggest mistake would be to remove the malicious package but leave the stolen credentials usable, because by then the attackers may already be operating inside adjacent environments."
To effectively mitigate these risks, Seker advises organizations to immediately revoke and rotate exposed secrets, invalidate all tokens, and reissue cloud credentials. Security teams should also review CI/CD runners, inspect GitHub Actions and package publishing workflows, and monitor their cloud and SaaS environments for anomalous activity.
Convergence of threat actors and evolving risks
The situation is further complicated by the concurrent activities of Lapsus$ and ShinyHunters. According to a post on X associated with TeamPCP, the group appears to be in conflict with ShinyHunters rather than actively collaborating.
"What we are seeing looks less like a clean handoff between separate groups, and more like a convergence of cybercriminal ecosystems around the same access," Seker says. While TeamPCP initiated the supply chain compromises and credential theft, other extortion actors are now attempting to monetize the exposures. "At this stage, that does not prove formal operational alignment, but it does strongly suggest that once high-value access or stolen data emerges from a supply chain intrusion, other extortion actors can move in very quickly to amplify pressure, visibility, and potential profit," Seker notes.
Furthermore, TeamPCP has announced a partnership with Vect, a ransomware group. Tomer Peled, a security researcher at Akamai, observes that this changes the risk profile significantly. Peled notes that the collaboration could provide Vect with access to numerous affected organizations, subjecting them to potential ransomware deployment through TeamPCP's remote access trojan (RAT).
As Akamai documented recently, the modified Telnyx PyPI package contained a three-stage RAT that provides backdoor access to environments running the affected SDK. Given the volume of credentials already obtained by TeamPCP, Peled anticipates the discovery of additional compromised libraries. He assesses that the group will likely use their stolen credentials to continue installing unauthorized access tools across as many systems as possible.
Seker concludes that the involvement of additional threat groups fundamentally alters how organizations must view software supply chain risks. "The old assumption was that a software supply chain attack was mainly a downstream integrity problem," he says. "What these cases show is that it can become an immediate enterprise breach problem, where compromised packages lead to stolen secrets, cloud access, SaaS exposure, repository cloning, and then possible extortion by additional actors."