The TeamPCP supply chain campaign has escalated through the compromise of the Telnyx Python SDK and a strategic partnership with the Vect ransomware group to target 300,000 users.

Key points

• Attackers compromised Telnyx Python SDK versions 4.87.1 and 4.87.2 on PyPI using stolen credentials, embedding malicious payloads within WAV audio files.
• TeamPCP formed a partnership with Vect ransomware and BreachForums, providing 300,000 users with affiliate keys to facilitate industrialized ransomware deployment.
• LAPSUS$ has claimed a 3GB data breach of AstraZeneca, marking the first named victim of the ongoing TeamPCP credential-harvesting campaign.
• Forensic analysis revealed the LiteLLM compromise originated from the personal GitHub account of CEO Krish Dholakia, targeted via previously stolen credentials.
• CISA updated its Known Exploited Vulnerabilities (KEV) catalog, setting an April 8 remediation deadline for the Trivy vulnerability and adding the Langflow RCE.

This campaign represents a dangerous evolution where supply chain compromises are now being used to fuel large-scale, automated ransomware operations. Organizations must treat all previously exposed credentials as compromised and prioritize immediate rotation to mitigate the risk of imminent extortion.