TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory, (Wed, Apr 8th)
The TeamPCP supply chain campaign involves a sophisticated threat actor tracked by Google GTIG as UNC6780. This update highlights the theft of Cisco source code via a breach linked to the Trivy security scanner. The campaign has been ongoing with multiple supply chain compromises, including credential sharing and breaches affecting numerous SaaS environments. Despite the severity of the campaign, no standalone advisory has been issued by CISA at this time. The threat is categorized as medium severity due to the nature of the supply chain compromise and source code theft, but no known exploits are currently reported in the wild.
AI Analysis
Technical Summary
This report provides an update on the TeamPCP supply chain campaign, focusing on the theft of Cisco source code through a breach associated with the Trivy security scanner. The threat actor UNC6780, tracked by Google GTIG, continues to conduct supply chain attacks affecting multiple organizations and SaaS environments. The campaign has been documented through multiple updates, with this being the seventh, consolidating intelligence from early April 2026. Although the campaign involves remote code execution (RCE) tags, specific technical exploit details or affected software versions are not provided. No patch or remediation guidance is currently available, and no known exploits have been observed in the wild.
Potential Impact
The primary impact is the unauthorized access and theft of Cisco source code, which could potentially aid attackers in developing targeted exploits or further supply chain compromises. The campaign has also resulted in widespread credential sharing and SaaS environment compromises. However, there is no evidence of active exploitation in the wild at this time. The absence of a standalone CISA advisory suggests that official mitigation guidance is pending or under development.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor updates from Cisco, CISA, and other relevant vendors for official patches or mitigation instructions. Given the supply chain nature of the campaign, reviewing and securing software supply chain processes and access controls is advisable. No specific remediation actions are detailed in the current report.
TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory, (Wed, Apr 8th)
Description
The TeamPCP supply chain campaign involves a sophisticated threat actor tracked by Google GTIG as UNC6780. This update highlights the theft of Cisco source code via a breach linked to the Trivy security scanner. The campaign has been ongoing with multiple supply chain compromises, including credential sharing and breaches affecting numerous SaaS environments. Despite the severity of the campaign, no standalone advisory has been issued by CISA at this time. The threat is categorized as medium severity due to the nature of the supply chain compromise and source code theft, but no known exploits are currently reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This report provides an update on the TeamPCP supply chain campaign, focusing on the theft of Cisco source code through a breach associated with the Trivy security scanner. The threat actor UNC6780, tracked by Google GTIG, continues to conduct supply chain attacks affecting multiple organizations and SaaS environments. The campaign has been documented through multiple updates, with this being the seventh, consolidating intelligence from early April 2026. Although the campaign involves remote code execution (RCE) tags, specific technical exploit details or affected software versions are not provided. No patch or remediation guidance is currently available, and no known exploits have been observed in the wild.
Potential Impact
The primary impact is the unauthorized access and theft of Cisco source code, which could potentially aid attackers in developing targeted exploits or further supply chain compromises. The campaign has also resulted in widespread credential sharing and SaaS environment compromises. However, there is no evidence of active exploitation in the wild at this time. The absence of a standalone CISA advisory suggests that official mitigation guidance is pending or under development.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor updates from Cisco, CISA, and other relevant vendors for official patches or mitigation instructions. Given the supply chain nature of the campaign, reviewing and securing software supply chain processes and access controls is advisable. No specific remediation actions are detailed in the current report.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/32880","fetched":true,"fetchedAt":"2026-04-08T17:20:48.801Z","wordCount":2008}
Threat ID: 69d68e701cc7ad14da93c4ec
Added to database: 4/8/2026, 5:20:48 PM
Last enriched: 4/8/2026, 5:20:57 PM
Last updated: 4/8/2026, 7:49:35 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.