TeamPCP is a threat actor group conducting a high-velocity, cross-ecosystem supply chain campaign targeting security-adjacent software. Since February 2026, the group has successfully compromised trusted GitHub Actions, Docker Hub, npm, Open VSX, and PyPI packages. Their primary objectives appear to be credential harvesting, lateral movement within Kubernetes clusters, and, in specific geographic regions, destructive wiper operations.
Severity: High
Timeline Of Major Incidents (2026)
- February 28: Initial compromise of Aqua Security’s Trivy scanner via a workflow vulnerability, leading to the theft of a Personal Access Token (PAT).
- March 3–9: Compromise of the xygeni-action GitHub Action. The attacker manipulated the mutable v5 tag to point to a malicious commit.
- March 22: Discovery of a new Kubernetes Wiper payload (“CanisterWorm”) targeting Iranian infrastructure.
- March 23: Hijacking of 35 tags in the Checkmarx KICS GitHub Action repository.
- March 23: Compromise of Checkmarx OpenVSX extensions (cx-dev-assist and ast-results).
- March 23-24: Trojanization of LiteLLM (versions 1.82.7 and 1.82.8) on PyPI.
Attack Details
1. Initial Access & Injection
- Credential Compromise: Leverages compromised maintainer tokens or GitHub identities to push malicious code.
- Tag Hijacking: Updates mutable Git tags (e.g., @v5 or @latest) to point to malicious commits staged on repository forks, bypassing standard merge reviews.
- Ecosystem Hopping: Injects malicious code directly into package registries (PyPI, npm, Open VSX) during or after the build process, ensuring the malicious code is not visible in the upstream GitHub source.
2. Execution & Persistence
- Import-Time Execution: Payloads are often triggered immediately upon importing a package (e.g., proxy_server.py in LiteLLM).
- Silent Persistence: Uses .pth files in Python environments to execute payloads on every Python invocation, even if the compromised library is not imported.
- Systemd Backdoor: Installs persistent services (disguised as pgmonitor or internal-monitor) that poll for additional binaries.
3. Malicious Payloads
- Credential Harvester: Searches for environment variables, SSH keys, cloud tokens (AWS/GCP/Azure), Kubernetes secrets, and crypto wallets.
- Kubernetes Lateral Movement: Deploys privileged “kamikaze” or “provisioner” DaemonSets to every node in a cluster.
- Targeted Wiper: A specialized payload (“CanisterWorm”) checks for Iranian timezones; if detected, it executes a destructive rm -rf / command and reboots the host.
Recommendations
- Immediately uninstall and purge the following known malicious packages:
• PyPI: litellm versions 1.82.7 and 1.82.8. Revert to the last known-clean version, 1.82.6.
• GitHub Actions: Any workflow referencing xygeni/xygeni-action@v5 or the kics-github-action tags hijacked on March 23.
• OpenVSX: Extensions cx-dev-assist 1.7.0 and ast-results 2.53.0. - The TeamPCP malware systematically harvests credentials. You must rotate any secrets that were present in environments where compromised tools ran, including:
• Cloud Keys: AWS, GCP, and Azure credentials.
• SSH Keys: All id_rsa, id_ed25519, and other private keys.
• CI/CD Tokens: GitHub Personal Access Tokens (PATs) and repository secrets.
• Environment Files: .env files containing database or API credentials.
• Kubernetes Secrets: Service account tokens and kubeconfig files. - Search for and delete highly privileged “kamikaze” or “provisioner” pods and DaemonSets, specifically those in the kube-system namespace.
- Check for unauthorized systemd services and hidden directories such as /etc/systemd/system/pgmonitor.service or ~/.config/sysmon.
- To prevent “tag hijacking,” do not reference GitHub Actions by mutable tags like @v5 or @latest. Instead, use the full, immutable 40-character commit SHA.
- For Python (PyPI) and Node.js (npm) projects, always use and commit lockfiles (e.g., poetry.lock, requirements.txt with hashes, or package-lock.json) to ensure that only verified, specific versions of dependencies are installed.
- In Python environments, audit the site-packages directory for suspicious .pth files (like litellm_init.pth) which can trigger malicious code on every Python invocation.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/dfe8b9f111ed53d8356b3a7b819191b7989c5cc3cdc92552e5c84f0d50bfe7e2/iocs
IOCs:
| IP: | 91[.]214[.]78[.]178 |
| Domain: | models[.]litellm[.]cloud |
| Domain: | checkmarx[.]zone |
| Domain: | checkmarx[.]zone/raw |
| Domain: | icp0[.]io |
| Domain: | security-verify[.]91[.]214[.]78[.]178[.]nip[.]io |
| URL: | https[:]//souls-entire-defined-routes[.]trycloudflare[.]com/ |
| URL: | https[:]//investigation-launches-hearings-copying[.]trycloudflare[.]com/ |
| URL: | https[:]//championships-peoples-point-cassette[.]trycloudflare[.]com |
| URL: | https[:]//souls-entire-defined-routes[.]trycloudflare[.]com/kamikaze[.]sh |
| SHA-256: | 8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2 |
| SHA-256: | d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb |
| SHA-256: | a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120b |
| SHA-256: | 71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238 |
Source:
- https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads
- https://xygeni.io/blog/security-incident-report-xygeni-action-github-action-compromise/
- https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran
- https://checkmarx.com/blog/checkmarx-security-update/
- https://www.wiz.io/blog/teampcp-attack-kics-github-action
- https://www.endorlabs.com/learn/teampcp-isnt-done
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.