The TeamPCP campaign represents the highest-priority item in this rollup by priority score (0.632) and the broadest supply chain blast radius. Threat actor TeamPCP embedded credential-harvesting malware in telnyx PyPI versions 4.87.1 and 4.87.2 using audio steganography to evade detection, with the same actor confirmed to have also compromised litellm, Trivy, and KICS packages. Any CI/CD pipeline that installed these versions should be treated as fully compromised — all secrets, tokens, and credentials accessible to those runners are at risk of exfiltration, with ransomware follow-on assessed as a plausible next stage based on moderate-confidence LAPSUS$/Vect attribution. Immediate actions are package removal, hash-verified reinstallation of clean versions, and full secrets rotation across all affected pipeline environments.