THE third update on the TeamPCP supply chain campaign notes that no new package compromises have been confirmed in the first 48-hour window since the Telnyx disclosure on 27 March 2026, marking a pause after an aggressive cadence that previously saw targets such as Trivy, CanisterWorm and others.
Analysts suggest the shift toward monetisation of existing credential harvests, rather than expanding the ecosystem, while emphasising this pause does not signal an end to operations; stolen credentials from an estimated 300 GB trove could still drive future compromises. PyPI has quarantined two TeamPCP campaigns in quick succession, which may raise attack costs for the operators.
The report also highlights new detection guidance and defensive measures, including behavioural detection for CI/CD pipeline attacks and a focus on anomalous runner activity, such as memory reads and unusual archive creation. The CISA KEV remediation deadline for CVE-2026-33634 is 8 April 2026, with a watch item noting ongoing potential expansion to other registries and continued investigation into AstraZeneca’s breach claim, which remains unconfirmed at 48 hours.