TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments, (Fri, Apr 3rd)

The TeamPCP supply chain campaign continues to expand, with Mandiant quantifying impact across 1,000+ SaaS environments. CERT-EU has confirmed the European Commission cloud breach, while North Korean attribution has been established for the axios package compromise. Mercor AI remains the first publicly disclosed victim. Wiz's post-compromise cloud enumeration findings and Mandiant's forensic audit of LiteLLM (which has resumed releases) indicate ongoing adversary activity. Organizations using compromised or related supply chain components should conduct immediate inventory checks, monitor for unusual cloud enumeration activity, and review authentication logs for signs of lateral movement. The weaponization of security scanning tools represents a significant evolution in supply chain attack tradecraft.

This is the sixth update to the TeamPCP supply chain campaign threat intelligence report,&#;x26;#;xc2;&#;x26;#;xa0;"When the Security Scanner Became the Weapon"&#;x26;#;xc2;&#;x26;#;xa0;(v3.0, March 25, 2026).&#;x26;#;xc2;&#;x26;#;xa0;Update 005&#;x26;#;xc2;&#;x26;#;xa0;covered developments through April 1, including the first confirmed victim disclosure (Mercor AI), Wiz&#;x26;#;39;s post-compromise cloud enumeration findings, DPRK attribution of the axios compromise, and LiteLLM&#;x26;#;39;s release resumption after Mandiant&#;x26;#;39;s forensic audit. This update covers intelligence from April 1 through April 3, 2026.

The TeamPCP supply chain campaign continues to expand, with Mandiant quantifying impact across 1,000+ SaaS environments. CERT-EU has confirmed the European Commission cloud breach, while North Korean attribution has been established for the axios package compromise. Mercor AI remains the first publicly disclosed victim. Wiz's post-compromise cloud enumeration findings and Mandiant's forensic audit of LiteLLM (which has resumed releases) indicate ongoing adversary activity. Organizations using compromised or related supply chain components should conduct immediate inventory checks, monitor for unusual cloud enumeration activity, and review authentication logs for signs of lateral movement. The weaponization of security scanning tools represents a significant evolution in supply chain attack tradecraft. This is the sixth update to the TeamPCP supply chain campaign threat intelligence report,&#;x26;#;xc2;&#;x26;#;xa0;"When the Security Scanner Became the Weapon"&#;x26;#;xc2;&#;x26;#;xa0;(v3.0, March 25, 2026).&#;x26;#;xc2;&#;x26;#;xa0;Update 005&#;x26;#;xc2;&#;x26;#;xa0;covered developments through April 1, including the first confirmed victim disclosure (Mercor AI), Wiz&#;x26;#;39;s post-compromise cloud enumeration findings, DPRK attribution of the axios compromise, and LiteLLM&#;x26;#;39;s release resumption after Mandiant&#;x26;#;39;s forensic audit. This update covers intelligence from April 1 through April 3, 2026. This is the sixth update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 005 covered developments through April 1, including the first confirmed victim disclosure (Mercor AI), Wiz's post-compromise cloud enumeration findings, DPRK attribution of the axios compromise, and LiteLLM's release resumption after Mandiant's forensic audit. This update covers intelligence from April 1 through April 3, 2026.