DATABRICKS is investigating an alleged compromise linked to the TeamPCP credential harvest, with reports suggesting screenshots of AWS artifacts, CloudFormation dumps, and STS tokens match TeamPCP’s playbook, though Databricks has not issued an official statement. TeamPCP is operating two parallel ransomware tracks: CipherForce, their own operation, and a mass affiliate programme via Vect/BreachForums.
The campaign has also seen AstraZeneca data released by LAPSUS$ after a failed sale attempt, with Cybernews partially verifying contents such as internal GitHub user information and employee data, while AstraZeneca has not issued a public statement at around 96 hours since the initial claim.
The diary notes three monetisation tracks running simultaneously — direct credential exploitation, CipherForce direct operations, and Vect/BreachForums affiliate activity — with a common RSA-4096 public key embedded in payloads as a strongest attribution link. It also highlights that the CISA KEV deadline for CVE-2026-33634 is closing in, with nine days remaining to April 8, 2026, and urges credential rotations and IOC sweeps within that remediation window.
According to Cybernews and Cybersecurity Insiders, updates to the AstraZeneca and Databricks developments are part of the broader continuation of the TeamPCP campaign as it shifts focus from supply chain disruption to monetisation.