Skip to content
.ca
sign in
4 mincritical

TeamPCP Is Systematically Targeting Security Tools Across the OSS Ecosystem

The threat actor TeamPCP is conducting a highly coordinated supply chain campaign targeting widely used open-source security tools and developer infrastructure, including Trivy, Checkmarx' KICS, and LiteLLM. By compromising CI/CD pipelines and GitHub Actions, the attackers are successfully turning trusted security scanners into infostealers to harvest and exfiltrate massive amounts of enterprise credentials.

Sens:ImmediateConf:mediumAnalyzed:2026-03-25reports
ActorsTeamPCPLAPSUS$CanisterWorm
Supply Chain AttackCredential HarvestingTeamPCPCI/CDTrivy

Source:Socket

IOCs · 1
  • url
    hxxps://t[.]me/team_pcpTelegram channel associated with the TeamPCP threat actor, used for announcements and extortion claims (identified via image).

Key Takeaways

  • TeamPCP is systematically targeting open-source security tools and developer infrastructure, including Trivy, Checkmarx' KICS, OpenVSX extensions, and LiteLLM.
  • The campaign specifically targets CI/CD pipelines and GitHub Actions to turn trusted security scanners into infostealers.
  • Threat actors claim to have exfiltrated approximately 300 GB of compressed credentials, with 500,000 stolen credentials attributed to the LiteLLM compromise alone.
  • There is an unconfirmed but speculated connection between TeamPCP and the LAPSUS$ threat group, supported by recent Telegram posts.
  • The attacks highlight a critical vulnerability in the software supply chain where autonomous, self-propagating OSS registry attacks follow initial CI/CD compromises.

Affected Systems

  • CI/CD Pipelines
  • GitHub Actions
  • Trivy vulnerability scanner
  • Checkmarx' KICS scanner
  • OpenVSX extensions
  • LiteLLM (PyPI package)
  • npm packages

Attack Chain

TeamPCP compromises open-source security tools and developer infrastructure, such as Trivy, Checkmarx' KICS, and PyPI packages like LiteLLM. These compromised tools are then executed within victim CI/CD pipelines, specifically via GitHub Actions. Once running inside the pipeline, the malicious code acts as an infostealer, harvesting secrets, credentials, and infrastructure data. The stolen data is then exfiltrated to the attackers, enabling further downstream supply chain attacks and extortion.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — EDRs typically have limited visibility into ephemeral CI/CD pipeline runners like GitHub Actions unless specifically instrumented. Network Visibility: Medium — Outbound connections from CI/CD runners to unknown or untrusted IPs for data exfiltration could be detected with proper network monitoring. Detection Difficulty: Hard — Malicious activity is blended with legitimate security scanning tools inside ephemeral CI/CD environments, making it difficult to distinguish from normal operations.

Required Log Sources

  • CI/CD Pipeline Logs
  • GitHub Audit Logs
  • Container runtime logs
  • Network flow logs from CI/CD environments

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected outbound network connections originating from CI/CD runners executing security scanners like Trivy or KICS.Network flow logs, DNS logsExfiltrationMedium
Monitor for unauthorized access or anomalous usage of secrets and credentials recently exposed to CI/CD pipelines.Cloud Audit Logs, IAM logsCredential AccessLow

Control Gaps

  • Lack of continuous monitoring in CI/CD workflows
  • Implicit trust in open-source security tools
  • Unrestricted outbound network access from CI/CD runners

Key Behavioral Indicators

  • Anomalous outbound data transfers from CI/CD environments
  • Unexpected modifications to GitHub Actions workflows or tags

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit CI/CD pipelines for compromised versions of Trivy, Checkmarx KICS, OpenVSX extensions, and LiteLLM.
  • Rotate any secrets, API keys, or credentials that were exposed to potentially compromised CI/CD runners.

Infrastructure Hardening

  • Implement egress network filtering on CI/CD runners to prevent unauthorized data exfiltration.
  • Pin GitHub Actions and OSS dependencies to specific, verified commit hashes rather than mutable tags.

User Protection

  • Enforce least privilege access for CI/CD service accounts and tokens.

Security Awareness

  • Educate development and security teams on the risks of supply chain attacks targeting security tools.
  • Monitor canonical advisory discussions and threat intelligence for updates on affected OSS versions.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1552.007 - Credentials in Files: Container Images
  • T1528 - Steal Application Access Token
  • T1048 - Exfiltration Over Alternative Protocol

Additional IOCs

  • Urls:
    • hxxps://t[.]me/team_pcp - Telegram channel associated with the TeamPCP threat actor

Related