Cross Ecosystem Supply Chain Compromise by TeamPCP

Published Date: March 25, 2026

Category: ShadowOpsIntel

TeamPCP is a threat actor group conducting a high-velocity, cross-ecosystem supply chain campaign targeting security-adjacent software. Since February 2026, the group has successfully compromised trusted GitHub Actions, Docker Hub, npm, Open VSX, and PyPI packages. Their primary objectives appear to be credential harvesting, lateral movement within Kubernetes clusters, and, in specific geographic regions, destructive wiper operations.

Severity: High

Timeline Of Major Incidents (2026)

February 28: Initial compromise of Aqua Security’s Trivy scanner via a workflow vulnerability, leading to the theft of a Personal Access Token (PAT).
March 3–9: Compromise of the xygeni-action GitHub Action. The attacker manipulated the mutable v5 tag to point to a malicious commit.
March 22: Discovery of a new Kubernetes Wiper payload (“CanisterWorm”) targeting Iranian infrastructure.
March 23: Hijacking of 35 tags in the Checkmarx KICS GitHub Action repository.
March 23: Compromise of Checkmarx OpenVSX extensions (cx-dev-assist and ast-results).
March 23-24: Trojanization of LiteLLM (versions 1.82.7 and 1.82.8) on PyPI.

Attack Details

1. Initial Access & Injection

Credential Compromise: Leverages compromised maintainer tokens or GitHub identities to push malicious code.
Tag Hijacking: Updates mutable Git tags (e.g., @v5 or @latest) to point to malicious commits staged on repository forks, bypassing standard merge reviews.
Ecosystem Hopping: Injects malicious code directly into package registries (PyPI, npm, Open VSX) during or after the build process, ensuring the malicious code is not visible in the upstream GitHub source.

2. Execution & Persistence

Import-Time Execution: Payloads are often triggered immediately upon importing a package (e.g., proxy_server.py in LiteLLM).
Silent Persistence: Uses .pth files in Python environments to execute payloads on every Python invocation, even if the compromised library is not imported.
Systemd Backdoor: Installs persistent services (disguised as pgmonitor or internal-monitor) that poll for additional binaries.

3. Malicious Payloads

Credential Harvester: Searches for environment variables, SSH keys, cloud tokens (AWS/GCP/Azure), Kubernetes secrets, and crypto wallets.
Kubernetes Lateral Movement: Deploys privileged “kamikaze” or “provisioner” DaemonSets to every node in a cluster.
Targeted Wiper: A specialized payload (“CanisterWorm”) checks for Iranian timezones; if detected, it executes a destructive rm -rf / command and reboots the host.

Recommendations

Immediately uninstall and purge the following known malicious packages:
• PyPI: litellm versions 1.82.7 and 1.82.8. Revert to the last known-clean version, 1.82.6.
• GitHub Actions: Any workflow referencing xygeni/xygeni-action@v5 or the kics-github-action tags hijacked on March 23.
• OpenVSX: Extensions cx-dev-assist 1.7.0 and ast-results 2.53.0.
The TeamPCP malware systematically harvests credentials. You must rotate any secrets that were present in environments where compromised tools ran, including:
• Cloud Keys: AWS, GCP, and Azure credentials.
• SSH Keys: All id_rsa, id_ed25519, and other private keys.
• CI/CD Tokens: GitHub Personal Access Tokens (PATs) and repository secrets.
• Environment Files: .env files containing database or API credentials.
• Kubernetes Secrets: Service account tokens and kubeconfig files.
Search for and delete highly privileged “kamikaze” or “provisioner” pods and DaemonSets, specifically those in the kube-system namespace.
Check for unauthorized systemd services and hidden directories such as /etc/systemd/system/pgmonitor.service or ~/.config/sysmon.
To prevent “tag hijacking,” do not reference GitHub Actions by mutable tags like @v5 or @latest. Instead, use the full, immutable 40-character commit SHA.
For Python (PyPI) and Node.js (npm) projects, always use and commit lockfiles (e.g., poetry.lock, requirements.txt with hashes, or package-lock.json) to ensure that only verified, specific versions of dependencies are installed.
In Python environments, audit the site-packages directory for suspicious .pth files (like litellm_init.pth) which can trigger malicious code on every Python invocation.
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/dfe8b9f111ed53d8356b3a7b819191b7989c5cc3cdc92552e5c84f0d50bfe7e2/iocs

IOCs:

IP:	91[.]214[.]78[.]178
Domain:	models[.]litellm[.]cloud
Domain:	checkmarx[.]zone
Domain:	checkmarx[.]zone/raw
Domain:	icp0[.]io
Domain:	security-verify[.]91[.]214[.]78[.]178[.]nip[.]io
URL:	https[:]//souls-entire-defined-routes[.]trycloudflare[.]com/
URL:	https[:]//investigation-launches-hearings-copying[.]trycloudflare[.]com/
URL:	https[:]//championships-peoples-point-cassette[.]trycloudflare[.]com
URL:	https[:]//souls-entire-defined-routes[.]trycloudflare[.]com/kamikaze[.]sh
SHA-256:	8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2
SHA-256:	d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb
SHA-256:	a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120b
SHA-256:	71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238

Source:

https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
https://xygeni.io/blog/security-incident-report-xygeni-action-github-action-compromise/
https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran
https://checkmarx.com/blog/checkmarx-security-update/
https://www.wiz.io/blog/teampcp-attack-kics-github-action
https://www.endorlabs.com/learn/teampcp-isnt-done

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.