THE seventh TeamPCP update confirms Cisco’s internal development environment was breached via the Trivy supply chain compromise, with access to build systems and developer workstations and over 300 private GitHub repositories cloned, including code for AI products and unreleased items; AWS keys were also stolen for unauthorised cloud activity.
According to BleepingComputer, ShinyHunters expanded claims to 3 million or more Salesforce records, though these have not been independently verified, while Google GTIG formally tracks TeamPCP as UNC6780 and names the credential stealer payload as SANDCLOCK. The update notes a KEV remediation deadline of 8 April 2026 for CVE-2026-33634, but reports no standalone advisory from CISA at day 27, and it records a 24-day pause in new supply chain compromises across the five ecosystems.
Analyses from Mandiant suggest 1,000+ SaaS environments have been compromised, with the wider blast radius still expanding through discovery rather than new attacks. ShinyHunters is running concurrent TeamPCP credential-exploitation and Snowflake/Anodot breaches, underscoring the campaign’s operational tempo while CipherForce infrastructure remains offline ahead of Sportradar data publication deadlines.