TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory, (Wed, Apr 8th)

This update covers the ongoing TeamPCP supply chain campaign, now tracked by Google GTIG as UNC6780. Cisco source code has been stolen through a breach linked to the compromised Trivy security scanner. The campaign has expanded significantly, with Mandiant identifying over 1,000 compromised SaaS environments. ShinyHunters confirmed credential sharing related to the breach. Additional victims include CERT-EU/European Commission and Sportradar. CISA KEV deadline has arrived without a standalone advisory. Organizations using Trivy should immediately audit their deployments, rotate credentials, and monitor for suspicious activity as this supply chain compromise poses critical risk to affected environments.

This is the seventh update to the TeamPCP supply chain campaign threat intelligence report,&#;x26;#;xc2;&#;x26;#;xa0;"When the Security Scanner Became the Weapon"&#;x26;#;xc2;&#;x26;#;xa0;(v3.0, March 25, 2026).&#;x26;#;xc2;&#;x26;#;xa0;Update 006&#;x26;#;xc2;&#;x26;#;xa0;covered developments through April 3, including the CERT-EU European Commission breach disclosure, ShinyHunters&#;x26;#;39; confirmation of credential sharing, Sportradar breach details, and Mandiant&#;x26;#;39;s quantification of 1,000+ compromised SaaS environments. This update consolidates five days of intelligence from April 3 through April 8, 2026.

This update covers the ongoing TeamPCP supply chain campaign, now tracked by Google GTIG as UNC6780. Cisco source code has been stolen through a breach linked to the compromised Trivy security scanner. The campaign has expanded significantly, with Mandiant identifying over 1,000 compromised SaaS environments. ShinyHunters confirmed credential sharing related to the breach. Additional victims include CERT-EU/European Commission and Sportradar. CISA KEV deadline has arrived without a standalone advisory. Organizations using Trivy should immediately audit their deployments, rotate credentials, and monitor for suspicious activity as this supply chain compromise poses critical risk to affected environments. This is the seventh update to the TeamPCP supply chain campaign threat intelligence report,&#;x26;#;xc2;&#;x26;#;xa0;"When the Security Scanner Became the Weapon"&#;x26;#;xc2;&#;x26;#;xa0;(v3.0, March 25, 2026).&#;x26;#;xc2;&#;x26;#;xa0;Update 006&#;x26;#;xc2;&#;x26;#;xa0;covered developments through April 3, including the CERT-EU European Commission breach disclosure, ShinyHunters&#;x26;#;39; confirmation of credential sharing, Sportradar breach details, and Mandiant&#;x26;#;39;s quantification of 1,000+ compromised SaaS environments. This update consolidates five days of intelligence from April 3 through April 8, 2026. This is the seventh update to the TeamPCP supply chain campaign threat intelligence report, "When the Security Scanner Became the Weapon" (v3.0, March 25, 2026). Update 006 covered developments through April 3, including the CERT-EU European Commission breach disclosure, ShinyHunters' confirmation of credential sharing, Sportradar breach details, and Mandiant's quantification of 1,000+ compromised SaaS environments. This update consolidates five days of intelligence from April 3 through April 8, 2026.