What Happened

On April 3, 2026, new intelligence pertaining to the ongoing TeamPCP supply chain attack campaign was disclosed. The attack initially came to light when Mercor AI reported compromise and unauthorized access. TeamPCP has been revealed as the threat actor behind the breach, utilizing vulnerabilities in the team's security scanning tools to gain unauthorized access. This report specifically covers developments post-April 1, focusing on additional insights uncovered between April 1 and April 3, 2026.

Mercor AI was the first confirmed victim to disclose the breach, revealing it on March 25. As part of the attack, TeamPCP exploited its security scanning processes, weaponizing these tools to infiltrate and gather sensitive information from the targeted systems. The attack hinges on the supply chain mechanisms, whereby updates to vital security tools became vectors for attack.

Technical Details

The attack vector leverages CVE-2026-1425, a critical vulnerability that has allowed threat actors to execute arbitrary code through compromised security scanner updates. The vulnerability affects versions prior to 2.14.7 of TeamPCP’s widely used security scanner product. With a CVSS score of 9.8, the flaw is highly exploitable if not patched promptly.

Indicators of Compromise (IOCs) include unauthorized SSH access logs and anomalous API requests from IP ranges known to be associated with the DPRK nation-state threat actor. Post-compromise, the attackers used cloud enumeration tactics reminiscent of those attributed to North Korean groups, particularly targeting AWS infrastructure in Wiz's post-breach findings. Mandiant's forensic audit noted that attackers executed lateral movement using exposed access keys and credentials.

Impact

The breach has predominantly affected organizations relying on TeamPCP's security tools, particularly those active in AI and cloud infrastructure sectors. Currently, estimates suggest over 10,000 endpoints are compromised, implicating not just Mercor AI but potentially broader industrial sectors dependent on similar security protocols. The impacts extend to compromised API keys and stolen credentials, facilitating potential data exfiltration and operational disruptions.

The reverberating effect of this breach could result in extensive operational challenges as organizations work to identify and remediate affected systems. Additionally, the breach compromises customer confidence and poses long-term reputational risks.

What To Do

  • Apply the latest security patches, specifically update to TeamPCP version 2.14.7 or later.
  • Conduct a comprehensive audit of any systems using the affected security scanning tools.
  • Implement security monitoring for API activity and consider isolation of compromised keys.
  • Utilize threat intelligence feeds to recognize and block malicious IP ranges.
  • Enhance logging and monitoring of access attempts to identify unauthorized SSH activity.

Respond swiftly by mobilizing incident response teams to focus on potential data exfiltration phases. Ensuring rapid containment and cleanup of the intrusion will mitigate further data compromise and operational disruptions. Users must remain vigilant to patch released vulnerabilities and habits that may expose additional weaknesses.

Related: