Supply Chain Security Under Siege: TeamPCP’s Aggressive Pipeline Attacks
A sophisticated, financially motivated threat actor operating under the moniker TeamPCP has launched an aggressive campaign targeting the bedrock of modern software development: the CI/CD pipeline.
Rather than targeting end-user workstations through traditional phishing, TeamPCP has pivoted to a high-leverage strategy—compromising the automated build and release workflows that developers inherently trust.By injecting malicious logic directly into these pipelines, the group effectively hijacks the “chain of custody” for software. This allows them to distribute poisoned packages, Docker images, and extensions that appear digitally signed and legitimate, bypassing standard perimeter defenses.
Recent technical analysis by Trend Micro reveals a coordinated series of attacks spanning at least seven distinct waves between March and April 2026. The campaign has demonstrated remarkable agility, impacting diverse ecosystems including GitHub Actions, PyPI, Docker Hub, and VS Code extensions.

The group’s operational tempo is alarming. In the Checkmarx KICS incident, attackers executed a multi-vector assault by simultaneously poisoning Docker images and VS Code extensions. Within hours of the initial breach, they successfully weaponized stolen npm tokens to hijack the @bitwarden/cli package, demonstrating a terrifyingly short window between credential theft and widespread distribution.
In contrast, the elementary-data compromise showcased the danger of architectural oversights. The attackers exploited a lack of input sanitization within a GitHub pull request comment. By injecting a malicious script into a comment, they successfully manipulated the project’s CI workflow, triggering the automated build and publication of a backdoored package to both PyPI and the GitHub Container Registry.
Open-source intelligence suggests TeamPCP may be operating in concert with known criminal entities, with reports indicating potential partnerships with the Vect ransomware group and CipherForce.
Technical Analysis: Targeted Assets and Payload Evolution
The primary objective of TeamPCP is large-scale credential harvesting. Their malware is engineered to sweep through environments for high-value secrets, specifically targeting:
- Identity & Access: GitHub Personal Access Tokens (PATs), npm tokens, and SSH keys.
- Cloud Infrastructure: Comprehensive extraction of AWS, Azure, and GCP credentials.
- Orchestration & Secrets: Kubernetes secrets, CI/CD environment variables, and Infrastructure-as-Code (IaC) files.
- Data & Finance: Database connection strings, developer configuration files, and cryptocurrency wallet keystores.
A critical escalation noted in the elementary-data attack was the malware’s ability to interact with cloud-native services. Instead of merely scraping local files, the payload actively queried AWS APIs—including AWS Secrets Manager and SSM Parameter Store—to extract secrets stored directly within the cloud environment. This allows attackers to bypass the limitations of local disk forensics.

TeamPCP demonstrates significant technical versatility in their payload delivery. For the KICS attack, they deployed a heavy-duty JavaScript stealer executed via the Bun runtime, utilizing robust encryption standards such as AES-256-GCM and RSA to obfuscate exfiltrated data.
Conversely, the elementary-data payload utilized a more stealthy, lightweight approach: a Python .pth file. This file is designed to execute automatically upon Python interpreter initialization, allowing it to achieve persistence and execution while remaining largely invisible to traditional file-based detection mechanisms.
A fascinating “fingerprint” of this actor is their use of a custom XOR cipher, which is seeded with a specific Session messenger ID. This ID serves as both a decryption key and a unique signature that appears across multiple attack waves. Furthermore, the group leaves “branding” throughout their operations, including custom HTTP headers and Dune-themed GitHub repositories.

The scale of this campaign is immense. The elementary-data package alone sees over 1.1 million monthly downloads. Confirmed compromises have touched critical tools including Trivy, KICS, LiteLLM, Xinference, Telnyx, and Bitwarden CLI.
Defensive Posture: Securing the Pipeline
The TeamPCP campaign underscores a fundamental shift in the threat landscape: the pipeline has become the ultimate insider. By compromising the automation, attackers gain the ability to scale their impact exponentially, infecting thousands of downstream users through trusted update channels.
To mitigate these risks, organizations must move away from a model of “implicit trust” in automation and adopt a Zero Trust approach to CI/CD workflows:
- Enforce Least Privilege: CI/CD runners should only have the minimum necessary permissions. Avoid using long-lived, high-privilege cloud credentials; prefer OIDC (OpenID Connect) for short-lived, identity-based access to AWS/Azure/GCP.
- Sanitize Workflow Inputs: Treat every pull request, comment, and external trigger as untrusted. Ensure that scripts triggered by GitHub Actions or other orchestrators do not execute unsanitized user input.
- Monitor Cloud API Activity: Implement robust logging and alerting for unusual API calls, specifically looking for unexpected requests to AWS Secrets Manager or SSM Parameter Store coming from build environments.
- Dependency Integrity: Utilize software composition analysis (SCA) and lockfiles to ensure that the dependencies being pulled into your builds have not been surreptitiously updated in a registry.
In the era of TeamPCP, a secure codebase is no longer enough; you must also secure the machine that builds it.