TeamPCP Supply Chain Campaign: Cisco Source Code Stolen, UNC6780 Activity

The cybersecurity community is actively monitoring the TeamPCP supply chain campaign, an ongoing and significant threat intelligence matter first reported by ISC SANS. This campaign has evolved considerably, culminating in notable incidents such as the theft of Cisco source code and the compromise of over 1,000 Software-as-a-Service (SaaS) environments, highlighting the persistent and escalating risk associated with supply chain vulnerabilities.

Overview of the TeamPCP Campaign and Recent Developments

Initially dubbed “When the Security Scanner Became the Weapon,” the TeamPCP campaign has demonstrated advanced tactics, techniques, and procedures (TTPs) focusing on exploiting trusted relationships within the software development and deployment ecosystem. Recent intelligence, consolidating findings from April 3 to April 8, 2026, details several critical developments:

• Cisco Source Code Theft: A significant breach resulted in the exfiltration of Cisco’s source code, underscoring the potential for intellectual property theft and future targeted attacks based on discovered vulnerabilities within that code. This incident is reportedly linked to a Trivy-related breach, suggesting a compromise of security scanning infrastructure or its associated environment.
• Widespread SaaS Environment Compromise: Mandiant has quantified over 1,000 compromised SaaS environments, indicating the broad reach and impact of the campaign. Such widespread compromise can lead to data breaches, Lateral Movement, and further downstream attacks.
• Attribution to UNC6780: Google GTIG is tracking the actor behind the TeamPCP campaign under the designation UNC6780. This attribution provides valuable context for security teams attempting to understand the adversary’s capabilities and motivations.
• Other Noteworthy Disclosures: The campaign has also been linked to the CERT-EU European Commission breach disclosure and further details surrounding the Sportradar breach. Additionally, ShinyHunters, a prominent cybercriminal group known for data breaches and selling stolen credentials, confirmed credential sharing activities related to this campaign.

Understanding the Trivy-Linked Breach and its Implications

The mention of a “Trivy-Linked Breach” is particularly concerning for organisations that rely on security scanning tools as part of their continuous integration/continuous delivery (CI/CD) pipelines. If a security scanner itself or its operational environment is compromised, it transforms a crucial defensive tool into a potential weapon for attackers. This type of Supply Chain Attack can grant adversaries a trusted foothold, allowing them to inject malicious code, exfiltrate sensitive data, or establish persistent access across an organisation’s development and production environments. The theft of Cisco source code via this vector exemplifies the severe consequences.

Mitigating TeamPCP Supply Chain Campaign Risks

Given the pervasive nature and significant impact of the TeamPCP campaign, security professionals must prioritise defensive measures. Proactive steps are essential to strengthen an organisation’s resilience against such sophisticated APT-like activities and to understand how to defend against TeamPCP supply chain attacks.

Actionable Recommendations for Defenders

• Supply Chain Audits: Conduct comprehensive audits of all third-party software, libraries, and services used within your organisation. Focus on critical dependencies and their security posture. Verify the integrity of your CI/CD pipelines.
• Enhanced Credential Management: Implement strong authentication mechanisms, including multi-factor authentication (MFA) across all services, especially for accounts with privileged access to development and production environments. Regularly rotate credentials and enforce least privilege principles.
• Robust Monitoring and Detection: Deploy and configure SIEM and EDR solutions to monitor for unusual activity, particularly focusing on access to source code repositories, anomalous network connections (potential C2 communication), and modifications to build environments. Implement detection rules for IoCs associated with UNC6780 or TeamPCP activities, once publicly available.
• Software Bill of Materials (SBOMs): Generate and maintain SBOMs for all applications to gain clear visibility into software components and their origins. This helps in quickly identifying exposure if a specific component is compromised.
• Security Tool Integrity: Regularly verify the integrity and security of all security tools, including vulnerability scanners like Trivy, and ensure they are running the latest, patched versions. Segregate their operational environments from production networks where possible.
• Incident Response Planning: Review and update incident response plans to specifically address supply chain compromises and source code theft scenarios. Conduct tabletop exercises to test your team’s readiness.

Organisations must remain vigilant and continuously adapt their security postures to counter evolving threats like the TeamPCP campaign. Staying informed about the latest intelligence and immediately implementing robust defensive strategies are paramount.