TeamPCP Supply Chain Campaign: Databricks and AstraZeneca Impact

The TeamPCP Supply Chain Attack continues to escalate, transitioning from initial infiltration to an aggressive monetization phase characterized by dual-extortion tactics. According to SANS ISC, recent developments between March 28 and March 30, 2026, indicate that the threat actors have successfully pivoted from technical exploitation to large-scale Ransomware deployment and data leakage. This update follows a brief 48-hour pause in activity, suggesting the group used the interval to finalize their extortion infrastructure and process exfiltrated data.

Databricks Supply Chain Compromise Investigation

A primary focus of current intelligence involves the potential breach of high-profile technology providers. Reports indicate that Databricks is currently conducting a Databricks supply chain compromise investigation following allegations of unauthorized access. While the specific entry point remains under scrutiny, the overarching TTP of the TeamPCP campaign involves the weaponization of security scanners. By compromising the very tools organizations use for vulnerability management, the attackers gain high-privileged access to sensitive environments, bypassing traditional EDR protections that may trust these authenticated scanning agents.

AstraZeneca Data Breach Details and Exfiltration

In addition to the Databricks investigation, the campaign has claimed a major victim in the pharmaceutical sector. Confirmed reports highlight that AstraZeneca data breach details are emerging as the threat actors have begun releasing stolen information. This confirms that the initial phase of compromising security scanners was a precursor to mass data exfiltration. The release of this data serves as a pressure tactic typical of modern Ransomware groups, aiming to force compliance with ransom demands through public shaming and regulatory threat. For organizations in the healthcare and life sciences sector, this demonstrates the high stakes of the current campaign.

Technical Analysis of TeamPCP Dual Ransomware Operations

The shift to dual ransomware operations represents a significant maturation of the TeamPCP APT profile. This strategy likely involves the simultaneous or sequential deployment of two distinct locker variants to ensure maximum disruption and overcome potential decryption efforts by security researchers. This approach complicates the recovery process for the SOC, as defenders must identify and neutralize multiple IoC sets.

Evidence suggests the attackers are leveraging sophisticated C2 frameworks to manage their fleet of weaponized scanners. Once a target environment is mapped via the compromised scanner, the actors perform Lateral Movement to identify high-value assets and Identity & Access stores. The goal is the total compromise of the target’s cloud or on-premises infrastructure before the encryption phase begins. By using a scanner as the weapon, the actors can often avoid detection because the activity mimics legitimate administrative behavior.

TeamPCP Supply Chain Campaign Mitigation and Defense

Defenders must prioritize the following TeamPCP supply chain campaign mitigation steps to protect their environments:

• Audit Third-Party Integrations: Review all security tools, specifically vulnerability scanners and automated CVE assessment agents, for unusual outbound traffic or unauthorized credential usage.
• Implement Zero Trust Architecture: Enforce strict segmentation between security tool management planes and production data environments to limit the blast radius of a Supply Chain Attack. Use the principles of Zero Trust to verify every request, even from trusted internal tools.
• Monitor C2 Communications: Update SIEM rules to detect unusual patterns associated with known TeamPCP infrastructure, focusing on high-frequency API calls to external endpoints from internal scanning appliances.
• Validate Backup Integrity: Ensure that offline backups are secure and have not been tampered with during the attackers’ silent reconnaissance phase. Successful recovery from dual ransomware depends on having uncorrupted, off-site data copies.

The rapid evolution of this campaign underscores the danger of trusted-access vulnerabilities. Organizations utilizing Databricks or similar cloud data platforms should remain vigilant as the full scope of the compromise continues to be analyzed by the global intelligence community.