TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Recorded Future Blog

Your Supply Chain Breach Is Someone Else's Payday

2026-04-15 · Read original ↗

ATT&CK techniques detected

14 predictions
T1195.001Compromise Software Dependencies and Development Tools
98%
“the vector ), and legal and compliance consequences ( breach notification obligations, potential liability for downstream impacts ). the tendency is to categorize supply chain attacks as a “ security tool problem ” or a “ developer problem. ” it is neither. it is a business risk …”
T1195.001Compromise Software Dependencies and Development Tools
97%
“your supply chain breach is someone else ' s payday teampcp exploited a single stolen credential to gain write access to trusted software repositories, inject credential - harvesting malware, and cascade across five ecosystems in five days. stolen credentials can enable payroll r…”
T1195.001Compromise Software Dependencies and Development Tools
96%
“trusted software repository. from there, they injected a credential - harvesting payload into the software and poisoned two checkmarx github actions workflows. the malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and ( the cruelest irony…”
T1486Data Encrypted for Impact
92%
“unlike a firewall rule, a stolen credential doesn ’ t trigger an alert. it just works. we previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. the pattern is always the same : trusting input that should not be trusted. sup…”
T1195Supply Chain Compromise
92%
“, and delivers remote access malware. but tag - 160 has also been caught running “ double brokering scams, ” where they pose as a legitimate carrier, obtain valid load details from a real broker, then re - advertise the load under the broker ’ s name to contract a different carri…”
T1657Financial Theft
79%
“account tokens? the answer, based on what insikt group is tracking across multiple unrelated campaigns, is far broader than encryption and extortion. redirect payroll. late last year ( 2025 ) insikt group was monitoring activity around a campaign called “ swiper, ” run by likely …”
T1195Supply Chain Compromise
76%
“organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, ai - augmented process rather than a periodic audit. so what. now what. teampcp is not done. their telegram channel explicitly states the oper…”
T1195Supply Chain Compromise
60%
“unlike a firewall rule, a stolen credential doesn ’ t trigger an alert. it just works. we previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. the pattern is always the same : trusting input that should not be trusted. sup…”
T1195Supply Chain Compromise
58%
“the vector ), and legal and compliance consequences ( breach notification obligations, potential liability for downstream impacts ). the tendency is to categorize supply chain attacks as a “ security tool problem ” or a “ developer problem. ” it is neither. it is a business risk …”
T1195Supply Chain Compromise
51%
“your supply chain breach is someone else ' s payday teampcp exploited a single stolen credential to gain write access to trusted software repositories, inject credential - harvesting malware, and cascade across five ecosystems in five days. stolen credentials can enable payroll r…”
T1195.001Compromise Software Dependencies and Development Tools
45%
“organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, ai - augmented process rather than a periodic audit. so what. now what. teampcp is not done. their telegram channel explicitly states the oper…”
T1195.001Compromise Software Dependencies and Development Tools
40%
“. a single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. teampcps ’ earlier compromise of aqua security ’ s trivy infrastructure in late february ( where incomplete credential rotation left residual access open for w…”
T1552.001Credentials In Files
36%
“. a single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. teampcps ’ earlier compromise of aqua security ’ s trivy infrastructure in late february ( where incomplete credential rotation left residual access open for w…”
T1552.004Private Keys
32%
“. a single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. teampcps ’ earlier compromise of aqua security ’ s trivy infrastructure in late february ( where incomplete credential rotation left residual access open for w…”

Summary

A supply chain attack by TeamPCP compromised trusted software tools to harvest credentials at scale, enabling payroll fraud, logistics theft, and ransomware extortion.