🛡️ Threat Intelligence Report: TeamPCP Multi-Stage Supply Chain Campaign

1. Reports Summary Table

The following table lists all 20 TI Mindmap HUB reports analyzed for this assessment, ordered by publication date (newest first).

2. Executive Summary

Overview

TeamPCP (also tracked as PCPcat, ShellForce, DeadCatx3) is a rapidly escalating cloud-native cybercrime group that has executed one of the most impactful open-source supply chain campaigns observed to date. Between December 2025 and March 2026, the group evolved from opportunistic exploitation of exposed Docker and Kubernetes APIs into a coordinated, multi-stage supply chain operation that compromised five major vendor ecosystems in just five days during March 2026.

The campaign's defining characteristic is its cascading nature: a single unrevoked CI credential from Aqua Security's Trivy pipeline enabled TeamPCP to snowball access across GitHub Actions, npm, PyPI, OpenVSX extensions, and multiple high-trust security tools (Trivy, Checkmarx KICS, BerriAI LiteLLM, Telnyx SDK). The group exfiltrated over 300 GB of compressed credentials, including cloud tokens, SSH keys, and Kubernetes secrets, from an estimated 500,000+ infected machines and CI/CD runners.

TeamPCP's campaign is notable for three distinct escalation vectors: (1) the deployment of CanisterWorm, a self-propagating npm worm leveraging Internet Computer Protocol (ICP) canisters for decentralized, resilient C2; (2) the integration of a geopolitically targeted Kubernetes wiper aimed at Iranian infrastructure; and (3) a confirmed partnership with the Vect ransomware group, extending stolen credentials into large-scale ransomware deployment via the BreachForums affiliate network with 300,000+ potential operators.

Diagram: Attack Overview

                         ┌──────────────────────────┐
                         │   INITIAL ACCESS         │
                         │ Unrevoked Trivy CI Token │
                         │ (pull_request_target abuse) │
                         └────────────┬─────────────┘
                                      │
                    ┌─────────────────┼──────────────────┐
                    ▼                 ▼                  ▼
          ┌─────────────────┐ ┌──────────────┐ ┌──────────────────┐
          │ WAVE 1: Trivy   │ │ WAVE 2: KICS │ │ WAVE 3: LiteLLM  │
          │ GitHub Actions  │ │ Checkmarx    │ │ PyPI Trojanize   │
          │ kamikaze.sh     │ │ GitHub Token │ │ .pth persistence │
          └───────┬─────────┘ └──────┬───────┘ └────────┬─────────┘
                  │                  │                  │
                  ▼                  ▼                  ▼
          ┌─────────────────────────────────────────────────────┐
          │          CREDENTIAL HARVESTING (300 GB+)           │
          │  Cloud tokens · SSH keys · K8s secrets · .env vars │
          └──────────────────────┬──────────────────────────────┘
                                 │
            ┌────────────────────┼────────────────────┐
            ▼                    ▼                    ▼
   ┌────────────────┐  ┌──────────────────┐  ┌──────────────────┐
   │ WAVE 4: Telnyx │  │ CanisterWorm     │  │ Vect Ransomware  │
   │ SDK + WAV      │  │ npm worm + ICP   │  │ Partnership +    │
   │ Steganography  │  │ C2 + K8s Wiper   │  │ BreachForums RaaS│
   └────────────────┘  │ (Iran targeting) │  └──────────────────┘
                       └──────────────────┘

Attribution & Threat Actor Profile

Group Name: TeamPCP
Known Aliases: PCPcat, ShellForce, DeadCatx3
First Observed: December 2025
Motivation: Financial (credential theft, ransomware, cryptomining, extortion) + Destructive/Geopolitical (Iran-targeted wipers)
Affiliation: Confirmed coordination with LAPSUS$; operational partnership with Vect ransomware group
Communication Channels: Telegram (dedicated channels for leaked data), BreachForums, dark web
Primary Targets: Open-source security tools, CI/CD pipelines, cloud-native infrastructure (Docker, Kubernetes, Ray, Redis)
Victim Geography: Global, with specific destructive operations targeting Iran
Victim Sectors: Enterprise (all sectors), with particular impact on organizations using Trivy, Checkmarx, LiteLLM, or Telnyx in their software supply chain

TeamPCP distinguishes itself from traditional APT groups by functioning as a cloud-native cybercrime platform rather than a single-purpose malware group. The group industrializes well-known attack techniques against modern cloud infrastructure and has demonstrated the ability to rapidly pivot between financial (credential theft, RaaS) and destructive (wiper) operations, suggesting dual financial and political motivations.

3. Technical Details

3.1 Malware Analysis & Tooling

TeamPCP developed and deployed an evolving malware toolkit across the campaign:

kamikaze.sh: The initial credential harvester delivered via compromised Trivy GitHub Actions. This shell script evolved through three versions: v1 performed basic credential exfiltration; v2 added GitHub runner process memory scraping by reading /proc/<pid>/mem to bypass GitHub secret masking and extract plaintext tokens; v3 introduced a pull method to download secondary payloads. All versions exfiltrated data to typosquatted domains using HTTP POST with AES-256-CBC encryption wrapped in a 4096-bit RSA public key.

kube.py: A Python-based worm and wiper component representing a major escalation. This payload performs environment fingerprinting to identify Kubernetes clusters and deploys privileged DaemonSets. In Iranian environments, detected via timezone and locale, it deploys the host-provisioner-iran DaemonSet with a kamikaze container that mounts the host root filesystem and wipes all top-level directories before forcing a reboot. On non-Iranian Kubernetes clusters, it deploys host-provisioner-std with the CanisterWorm backdoor as a persistent systemd service. On non-containerized Iranian hosts, it executes rm -rf / --no-preserve-root.

CanisterWorm: A self-propagating npm worm that uses Internet Computer Protocol (ICP) canisters for decentralized, takedown-resistant C2. Each infected npm package acts as a telemetry node, harvesting developer tokens (npm auth, GitHub PATs) and using them to publish additional trojanized packages, creating exponential propagation. Fallback C2 uses Cloudflare tunnel domains and victim-owned GitHub repositories created using stolen GITHUB_TOKEN values.

LiteLLM Credential Stealer: Deployed via trojanized PyPI packages (litellm==1.82.7, 1.82.8), this Python infostealer leverages .pth file abuse to execute automatically whenever any Python process initializes on the host. The payload consists of double Base64-encoded scripts that sweep environment variables, .env files, AWS/Azure/GCP configuration directories, and cloud instance metadata (IMDS) for credential harvesting.

Telnyx SDK Malware: The most technically sophisticated payload in the campaign. It uses WAV audio file steganography to conceal encrypted second-stage payloads within valid audio files, bypassing network inspection and static analysis. The second stage performs dynamic API resolution on Windows and establishes a full remote access toolkit with data exfiltration capabilities across Windows, Linux, and macOS systems.

Supporting Infrastructure Tools: Sliver C2 framework for persistent command-and-control, FRPS and gost for proxying and tunneling, and XMRig for cryptomining monetization.

3.2 Techniques & Attack Phases

The campaign unfolded in a structured, cascading sequence:

Phase 1 - Trivy Compromise (March 23): TeamPCP exploited a known-dangerous pull_request_target GitHub Actions workflow in Aqua Security's Trivy repository. An autonomous bot exfiltrated a high-privilege Personal Access Token (PAT) from the aqua-bot service account. Despite Aqua Security's partial credential rotation, TeamPCP retained access due to incomplete revocation. The attackers defaced Aqua Security's internal GitHub organization (44 repositories exposed) and injected kamikaze.sh into trusted CI/CD workflows.

Phase 2 - Checkmarx KICS Compromise (March 24): Using stolen GitHub PATs harvested from the Trivy breach, TeamPCP poisoned Checkmarx's KICS GitHub Action with a behaviorally identical three-stage credential stealer. The payload exfiltrated to the typosquatted domain checkmarx[.]zone. Malicious OpenVSX extensions (ast-results v2.53.0, cx-dev-assist v1.7.0) were also published.

Phase 3 - LiteLLM PyPI Compromise (March 24): TeamPCP pivoted from GitHub PATs to PyPI publishing tokens. They trojanized the legitimate LiteLLM package (40k+ GitHub stars), publishing malicious versions 1.82.7 and 1.82.8 with a .pth-based persistence mechanism. The exfiltration endpoint used the domain models.litellm[.]cloud.

Phase 4 - Telnyx SDK Compromise (March 28): TeamPCP hijacked PyPI publishing credentials for the Telnyx Python SDK, injecting multi-stage credential-stealing malware that leveraged audio steganography for payload delivery. This represented a technique innovation focused on evading network-based detection.

Phase 5 - CanisterWorm Deployment & Wiper Integration (March 25+): TeamPCP deployed the CanisterWorm npm worm for automated ecosystem-wide propagation. Concurrently, the Iran-targeted Kubernetes wiper was integrated as a secondary payload, marking the convergence of financial and destructive operations. A third variant abandoned Kubernetes-only propagation and added SSH lateral movement by harvesting keys from SSH logs and exploiting the Docker API on port 2375.

Phase 6 - Vect Ransomware Partnership (March 26): TeamPCP formalized a partnership with the Vect ransomware group to weaponize stolen credentials at scale. Vect offered automatic affiliate status and personalized affiliation keys to all 300,000+ BreachForums members, dramatically expanding the attack surface.

3.3 Infrastructure Analysis

TeamPCP employs a multi-layered, resilient infrastructure design:

Primary C2 Domains (Typosquatted): Each attack wave used a vendor-themed typosquatted domain for exfiltration, providing plausible-looking traffic patterns: scan.aquasecurtiy[.]org (Trivy), checkmarx[.]zone (KICS), and models.litellm[.]cloud (LiteLLM).

Decentralized Fallback C2: The ICP canister domain tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io provides a blockchain-based, takedown-resistant C2 channel. This is used by CanisterWorm and the Kubernetes wiper/backdoor payloads.

Cloudflare Tunnel Domains: Multiple rotating Cloudflare tunnel domains provide ephemeral, difficult-to-block C2 channels: championships-peoples-point-cassette.trycloudflare.com, create-sensitivity-grad-sequence.trycloudflare.com, investigation-launches-hearings-copying.trycloudflare.com, plug-tab-protective-relay.trycloudflare.com, and souls-entire-defined-routes.trycloudflare.com.

GitHub-Based Fallback: If primary C2 fails, the malware uses the victim's own GITHUB_TOKEN to create hidden repositories with naming patterns such as tpcp-docs-* and docs-tpcp for fallback data exfiltration, making detection more challenging because the traffic originates from legitimate GitHub API endpoints.

Dedicated IP Infrastructure: Eight C2 IP addresses have been consistently observed across the campaign, listed below in the IoC section.

Encryption: Exfiltrated data is encrypted using AES-256-CBC session keys, further wrapped with a hard-coded 4096-bit RSA public key, ensuring data confidentiality even if C2 traffic is intercepted.

4. Detection Opportunities

4.1 CI/CD and Package Monitoring

CI/CD Pipeline Monitoring: Monitor for unexpected modifications to GitHub Actions workflows, especially those using pull_request_target. Alert on commits from unrecognized bot accounts. Validate SHA-pinned references for all GitHub Actions rather than relying on mutable version tags.

Package Registry Monitoring: Monitor for unexpected version publications of critical dependencies such as Trivy, LiteLLM, Checkmarx, and Telnyx. Implement SBOM verification and enforce allowlisted package versions. Alert on .pth file creation in Python site-packages directories.

4.2 Network and Kubernetes Detections

Network Detection: Block or alert on connections to the IoC domains and IPs listed below. Monitor for DNS resolution of trycloudflare.com subdomains from CI/CD runners. Detect HTTP POST requests with large encrypted payloads to unrecognized endpoints. Monitor for connections to ICP canister domains under icp0.io.

Kubernetes Detection: Alert on creation of unexpected DaemonSets in the kube-system namespace, especially host-provisioner-iran or host-provisioner-std. Detect containers named kamikaze or provisioner mounting host root filesystems. Monitor for privileged container creation via Docker API on port 2375.

4.3 Host and Process Detections

Host-Level Detection: Monitor for creation of systemd services masquerading as PostgreSQL utilities such as pgmon, pgmonitor, pglog, pg_state, and internal-monitor. Detect file writes to /var/lib/pgmon/, /var/lib/svc_internal/, or /host/root/.config/sysmon/. Alert on SSH connections with StrictHostKeyChecking=no combined with lateral movement patterns. Monitor for WAV file downloads followed by process execution.

Process-Level Detection: Detect Python processes performing simultaneous AWS/Azure/GCP API calls and Kubernetes API interactions. Monitor for /proc/<pid>/mem reads by non-debugger processes. Alert on Base64 decoding operations followed by network connections.

5. Conclusion

The TeamPCP campaign represents a new paradigm in cloud-native threat activity: a fusion of industrial-scale automation, supply chain compromise expertise, and an evolving malware toolkit designed to attack the trust foundations of modern software development. In under four months, the group evolved from opportunistic exploitation of exposed Docker APIs to a coordinated campaign that compromised five major vendor ecosystems, deployed a blockchain-resilient worm, integrated a geopolitically targeted wiper, and partnered with a ransomware-as-a-service operation, all stemming from a single unrevoked CI credential.

The campaign exposes critical systemic weaknesses: incomplete credential rotation, implicit trust in security tooling, mutable version references in CI/CD workflows, and the lack of behavioral monitoring in software supply chains. Cryptographic integrity checks alone failed against attacks using legitimate but compromised credentials.

Organizations should urgently review their software bills of materials for affected packages, enforce immutable SHA-pinned workflow references, implement strict credential rotation with verification, deploy behavioral anomaly detection across CI/CD environments, and monitor for the indicators of compromise listed below. The convergence of supply chain compromise, credential theft, worm propagation, wiper deployment, and ransomware partnership makes TeamPCP one of the most operationally dangerous threat actors active today.

6. Indicators of Compromise (IoC List)

6.1 IP Addresses (C2 Servers)

6.2 Domains & URLs (C2 / Exfiltration)

6.3 File Hashes (SHA256)

6.4 File Paths & Filenames

6.5 Kubernetes Artifacts

6.6 Trojanized Packages

7. MITRE ATT&CK Techniques

Report generated by TI Mindmap HUB - Cross-source Threat Intelligence Analysis Analysis date: 2026-04-03 | Sources analyzed: 20 | Classification: TLP:WHITE