Weaponizing the Pipeline: Inside TeamPCP’s Multi-Stage Supply Chain Attacks

TeamPCP's supply chain attacks compromised trusted developer tools, stole cloud credentials, and spread malware across software ecosystems. Explore the attack methods, malware arsenal, and the growing risks facing modern CI/CD environments.

Govern Pipeline Execution Before Impact
  • July 8, 2026

Recently, the FBI issued a FLASH advisory about TeamPCP, a financially-motivated cybercrime group. The advisory explains that TeamPCP carried out a large software supply chain compromise by injecting malicious code into trusted developer tools. In practice, the attackers secretly added trojans to legitimate packages and pipeline scripts. This covert malware stole sensitive data cloud API tokens, SSH keys, Kubernetes secrets and more from any system that used the infected tools.

The FBI Flash lists TeamPCP’s tactics and indicators, warning organizations to treat exposed credentials as an ongoing risk. In essence, attackers did not breach targets directly. Instead, they hijacked popular software build and security tools to spread malware at scale.

TeamPCP targeted common development and security tools. For example, the group trojanized:

  • Aqua Security Trivy: Container vulnerability scanner included in many CI/CD pipelines.
  • Checkmarx KICS: Infrastructure-as-code (Cloud Saguaro) scanner.
  • BerriAI LiteLLM: AI gateway.
  • Telnyx Python SDK: Official Communications API SDK.

All of the above tools are heavily incorporated into developers’ toolchain. Indeed, Trivy and KICS are used in millions of enterprise pipelines, and LiteLLM is a popular PyPI package. This way, by targeting trusted packages and SDKs, the threat actor guaranteed the execution of their malware whenever a developer was developing or deploying something.

In addition to the above four tools, academic research identified that TeamPCP compromised even more GitHub Actions, npm, PyPI, Docker Hub, and other repositories. Hundreds of malicious packages were uploaded across various ecosystems. The victim toolchains spanned cloud security scanners and AI frameworks.

DevSecOps Supply Chain Compromise

Target Ecosystems
GitHub, npm, PyPI
Attack Vector
Chain of Compromise
C2 Protocol
ICP Blockchain
Extortion Leak Site
CipherForce
Target & Scope
  • Targeted core developer utilities including Aqua Trivy, Checkmarx KICS, LiteLLM, and Telnyx SDK.
  • Compromised service account credentials to force-push malicious code across GitHub, npm, and PyPI.
  • Guaranteed payload execution whenever developers deploy code within local or enterprise CI/CD pipelines.
Malware & Tactics
  • Abused GitHub Actions pull_request_target triggers via crafted “Pwn Requests” to extract runner secrets.
  • Deployed CanisterWorm using decentralized ICP blockchain C2 to run destructive Kubernetes wipers.
  • Utilized SandClock for cloud secret harvesting alongside registry-propagating Mini Shai-Hulud worms.
Extortion & Evasion
  • Exfiltrated AWS/Azure/GCP credentials and cryptocurrency wallets to double-extort targets.
  • Partnered with ransomware affiliates (sharing 80-88% profits) and leaked data on CipherForce.
  • Obfuscated payloads via WAV steganography and double Base64 encoding to bypass traditional static analysis.
Indicators of Compromise (IoC)
Category Indicators
Domains scan.aquasecurtiy[.]org, checkmarx[.]zone, models.litellm[.]cloud, check.git-service[.]com, t.m-kosche[.]com
IPs 83.142.209[.]11, 45.148.10[.]212, 83.142.209[.]194, 83.142.209[.]203, 94.154.172[.]43, 67.217.57[.]240
Malware CanisterWorm, SandClock, Mini Shai-Hulud, Miasma
Packages Trivy, KICS, LiteLLM, Telnyx Python SDK
TTPs Credential Theft, GitHub Actions Abuse (pull_request_target), Steganography (WAV), Double Base64 payloads

Attack Techniques and Tactics

As far as the automation is concerned, TeamPCP performed a series of attacks in multiple stages. The first step involved gaining access via unused credentials or misconfigured account of developers. For example, on March 19, 2026, the threat actor stole credentials of the GitHub service account for the Trivy scanner. Then they force-pushed malicious code into almost all Trivy Action tags using those stolen credentials.

TeamPCP followed the same strategy when compromising other applications. For instance, after stealing tokens from the Trivy hack, attackers pushed malware into Checkmarx KICS. Later they compromised PyPI by hijacking publishing tokens of LiteLLM and Telnyx libraries. This approach of attack called “chain-of-compromise” where each successful attack funded further attacks. One time team compromised multiple packages (47 in total) through one package using the stolen npm credentials in one automation cycle.

Specifically, they used GitHub Actions to deploy their attack. Hackers created so-called “Pwn Requests” that triggered the GitHub’s pull_request_target with malicious workflows with full privileges and allowed extracting runner credentials and publishing malware.

In general, a forked repository submitted pull requests; then GitHub executed attackers’ code with full permissions of an original repository.

Malware Arsenal: Worms and Steganography

Several custom-built backdoors and worms were used by TeamPCP. Among them were the following mentioned in the reports by the FBI Flash and industry experts:

  • CanisterWorm: This self-replicating cloud worm exploits cloud tokens and SSH keys. To manage command-and-control, it makes use of a decentralized blockchain “canister” (Internet Computer Protocol). Moreover, CanisterWorm can pose as normal system services. As a result, at the end of March 2026, the worm received a destructive wiper payload. Thus, in the case of certain criteria, the worm bricks Kubernetes cluster and wipes files from hosts.
  • SandClock: This is a covert credential stealer tool used by attackers. It extracts cloud access keys (AWS, Azure, GCP), Kubernetes ServiceAccount tokens, local environment variables, and even cryptocurrency wallets. SandClock was planted in CI pipelines to quietly steal secrets of the attackers.
  • Mini Shai-Hulud: A cross-ecosystem supply chain worm. Self-replicating agent spreads through npm and PyPI registries. Thus, for example, in May 2026, TeamPCP made use of Mini Shai-Hulud to distribute 84 malicious versions across 42 npm packages within the TanStack library set. Then, the worm started to propagate to other Python libraries. Its aim was to spread fast to any projects that use these packages.
  • Miasma: It is a variant of Mini Shai-Hulud. Miasma spreads through open-source registries. Moreover, it extracts exposed credentials and adds malicious scripts to the configuration files.

Extortion Tactics and Exposure

Besides stealing data, TeamPCP’s motives included extorting money from its victims. Following the data theft, attackers then proceeded to threaten the victims through public exposure. They worked with fellow cybercriminals by using ransomware, giving them between 80-88% profits out of the transaction.

The victim companies were embarrassed publicly at “CipherForce,” which is a ransomware leak site. As depicted below, CipherForce reveals the list of companies that will not comply with the ransom demand, complete with a countdown to data release.

In accordance to the FBI and industry reports, CipherForce claimed to have 16 victims altogether. The process involved data exfiltration, and then the hackers posted screenshots of the exfiltration as well as pieces of information from the data. The technique of threatening victims through the use of a ransomware site is typical of the ransomware attacks, because it increases the pressure for the victims to pay in order to avoid having their information exposed.

Apart from the data theft, they have also publicly declared partnerships through underground forums (BreachForums). In brief, the group managed to conduct both software supply chain attack and ransomware.

Campaign Scope and Impact

TeamPCP attacks were huge in scale, and reached more than 1,000 organizations as per independent analysis, outside of FBI FLASH. As per May 2026 statistics, hackers had managed to steal 500,000 sets of credentials and exfiltrate 300+ GB of data through at least 20 attack waves, and one attack wave had infected dozens of packages within less than a minute.

Activities were still ongoing in May 2026, and one of them known as “Mini Shai-Hulud” hit TanStack npm ecosystem and also the associated PyPI packages like mistralai and guardrails-ai. There was also a poisoned Visual Studio Code extension which helped them get into thousands of GitHub repositories but not in user data as per GitHub.

Here you see that even the usage of open-source packages and third party CI systems comes with risks since TeamPCP converted developer tools into infection vectors. There is FBI FLASH along with subsequent analysis on how the threat actor attacked software ecosystem in multiple ways.

Conclusion: When the Pipeline Becomes the Payload

TeamPCP shows why software supply chain attacks are so dangerous. The attacker does not need to breach every organization directly. They compromise the tools developers already trust, the scanners, SDKs, GitHub Actions, packages, and CI/CD workflows that run inside enterprise environments every day.

That is what makes this campaign different. The pipeline becomes the delivery system. Trusted automation becomes the execution path.

Why This Threat Matters

Modern development environments are built on speed, reuse, and automation. TeamPCP abused all three.

  • Trojanized tools executed inside trusted CI/CD pipelines
  • GitHub Actions workflows exposed runner secrets
  • Cloud credentials, SSH keys, Kubernetes tokens, and wallets were harvested
  • Worms spread across npm, PyPI, Docker Hub, and GitHub ecosystems
  • Blockchain-based C2 and steganography helped evade static detection
  • Extortion turned stolen developer secrets into business pressure

Once malicious code enters the pipeline, it can inherit the trust, permissions, and reach of the tools it replaced.

Where Xcitium Changes the Outcome

For organizations using Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, supply chain execution does not receive automatic trust.

This is Execution Governance.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Credential theft, script abuse, worm propagation, destructive payloads, and follow-on execution are stopped before impact.

Detection asks, “Did we recognize this package as malicious?”
Execution Governance asks, “Could unknown code cause damage inside the pipeline?”

That is the difference.

Trust the Process. Govern the Execution.

TeamPCP proves that trusted tools can become attacker-controlled delivery channels. Developer velocity cannot depend on blind trust in every package, workflow, scanner, or SDK that enters the build path.

Security teams must assume supply chain trust can fail.
They must govern what code is allowed to do when it runs.
They must prove control before compromise becomes business impact.

Like what you see? Share with a friend.

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo