TeamPCP Supply Chain Attack Reportedly Compromises Databricks

Key Takeaways

• Databricks highlighted a multi-stage TeamPCP supply chain attack targeting CI/CD tools
• Credential theft enabled rapid downstream compromise across ecosystems
• Malicious code embedded in trusted security and build tools
• Potential impact spans thousands of organizations and AI pipelines

Databricks Reports TeamPCP Supply Chain Attack on CI/CD Tools

A coordinated supply chain attack identified in Databricks-related reporting revealed that TeamPCP compromised widely used developer tools, enabling credential theft and downstream propagation across software ecosystems. As reported by Cyber Security News, the attack leveraged trusted CI/CD components to infiltrate pipelines and exfiltrate secrets. The incident highlights the growing systemic risk of supply chain attacks in AI-driven development environments.

What We Know

The TeamPCP campaign, highlighted in Databricks-related reporting, emerged in late February through March 2026 as a multi-phase supply chain attack targeting open-source developer infrastructure. Attackers initially gained access through a compromised GitHub token and misconfigured workflows, allowing them to infiltrate trusted repositories and automation pipelines. (safedep.io)

From there, the attackers injected malicious code into widely used tools including Aqua Security’s Trivy scanner, Checkmarx GitHub Actions, and multiple CI/CD components. These poisoned artifacts were distributed through legitimate channels such as GitHub Actions, container registries, and package repositories. (arcticwolf.com)

The attack extended beyond a single ecosystem. Researchers observed compromises across GitHub Actions, Docker images, OpenVSX extensions, and more than 60 npm packages, dramatically increasing the blast radius.

Once deployed, the malicious payload harvested sensitive data including API keys, cloud credentials, SSH keys, and CI/CD secrets from build environments.

Note: this is a new incident and not all details are known at this time. We will update the details and scoring as more information is available.

What May Have Happened

The TeamPCP attack, as surfaced in Databricks-related reporting, demonstrates a highly sophisticated, multi-stage supply chain compromise. The initial entry point appears to have been a stolen or improperly secured GitHub Personal Access Token, which allowed attackers to manipulate trusted repositories and automation workflows. (github.com)

Attackers then performed tag poisoning and release manipulation, injecting malicious code into legitimate versions of widely used tools. Because these tools were trusted and automatically executed in CI/CD pipelines, the malicious payload executed with elevated privileges before detection.

The injected malware used a three-stage process: collecting secrets from memory and file systems, encrypting the data, and exfiltrating it to attacker-controlled infrastructure.

A key innovation in this attack was its propagation model. Stolen credentials were reused to compromise additional systems and publish malicious packages, including a self-propagating npm worm leveraging distributed infrastructure.

AI and cloud-native workflows amplified the impact. Modern pipelines rely heavily on automation, shared credentials, and interconnected services, allowing a single compromised component to cascade across multiple environments.

Why It Matters

The Databricks-reported TeamPCP incident highlights a fundamental shift in cyber risk. Instead of targeting applications directly, attackers are increasingly targeting the tools used to build and secure those applications. In this case, even security tools themselves were weaponized. (thecybersecguru.com)

The exposure of CI/CD secrets presents significant downstream risk. Compromised credentials can grant access to cloud infrastructure, source code repositories, container registries, and production systems. This creates opportunities for data theft, infrastructure manipulation, and long-term persistence.

The scale of the attack is particularly concerning. With thousands of workflows relying on affected components, the potential impact extends far beyond the initially compromised projects. 

From a governance perspective, this incident reinforces the importance of supply chain security within frameworks such as the NIST AI RMF. Organizations must now treat third-party dependencies and CI/CD tooling as critical risk surfaces.

For AI-driven organizations, the implications are even broader. AI pipelines often integrate multiple external tools and services, increasing the likelihood that a single compromised dependency can expose sensitive models, datasets, or infrastructure.

PointGuard AI Perspective

The Databricks-highlighted TeamPCP attack exemplifies the growing need for continuous, end-to-end visibility across the AI and software supply chain. Traditional security approaches focus on application vulnerabilities but lack the ability to monitor dynamic dependencies and CI/CD workflows where these attacks occur.

PointGuard AI provides comprehensive AI SBOM visibility, allowing organizations to track all components within their AI and development ecosystems, including models, libraries, and CI/CD integrations. This visibility is critical for identifying compromised dependencies before they propagate.

In incidents like TeamPCP, PointGuard AI’s runtime monitoring detects anomalous behavior such as unexpected credential access, unusual execution patterns, or unauthorized outbound connections. These signals enable rapid detection of malicious activity embedded within trusted tools.

PointGuard AI also enforces strong policy controls around secrets management, ensuring that sensitive credentials are not broadly accessible within pipelines or exposed to untrusted components. This significantly reduces the blast radius of credential theft attacks.

Additionally, risk scoring and automated prioritization help security teams quickly identify high-risk dependencies and respond before compromise spreads.

As supply chain attacks become more sophisticated and interconnected, organizations must adopt proactive, continuous security models. PointGuard AI enables this shift, helping enterprises secure their AI and development pipelines while maintaining the speed of innovation.

Incident Scorecard Details

Total AISSI Score: 7.8/10

Criticality = 7
Sensitive CI/CD and cloud credentials potentially exposed, but scope not yet fully confirmed
AISSI weighting: 25%

Propagation = 8
Broad multi-ecosystem exposure with strong potential for spread, though full reach still being assessed
AISSI weighting: 20%

Exploitability = 8
Evidence of active exploitation and credential harvesting techniques
AISSI weighting: 15%

Supply Chain = 9
Heavy reliance on compromised third-party tools and CI/CD ecosystems
AISSI weighting: 15%

Business Impact = 6
Elevated risk exposure with credible potential for downstream impact, but no confirmed large-scale damage yet
AISSI weighting: 25%

‍Sources

• Databricks TeamPCP Supply Chain Attack
• Trivy Supply Chain Compromise Analysis
• TeamPCP Multi-Ecosystem Supply Chain Attack Overview