Your Supply Chain Breach Is Someone Else's Payday
Threat actor TeamPCP leveraged stolen credentials to compromise trusted software repositories, including LiteLLM and Checkmarx, injecting credential-harvesting malware into the supply chain. This campaign highlights the severe business risks of identity compromise, as stolen access tokens enable downstream attacks such as ransomware, payroll redirection, and logistics fraud without triggering traditional perimeter alerts.
Authors: Recorded Future, Insikt Group
Source:
Recorded Future
- domain22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w4Truncated malicious infrastructure indicator (likely an onion domain) associated with CipherForce/TeamPCP operations.
- domainmodels[.]litellm[.]cloudCommand and control (C2) infrastructure utilized by TeamPCP for credential exfiltration.
Key Takeaways
- TeamPCP compromised LiteLLM and Checkmarx using stolen credentials to inject credential-harvesting malware into trusted repositories.
- The attack cascaded across five ecosystems in five days, leveraging stolen identities at each stage to unlock subsequent targets.
- Stolen credentials from such breaches are actively weaponized for ransomware, payroll redirection (Swiper campaign), and freight rerouting (TAG-160).
- Security tools and CI/CD pipelines are increasingly targeted because they possess broad access to infrastructure and secrets.
- A single unrotated credential or publishing token is sufficient to bypass traditional perimeter defenses and poison the software supply chain.
Affected Systems
- LiteLLM (Python package)
- Checkmarx (GitHub Actions workflows)
- Aqua Security Trivy
Attack Chain
TeamPCP obtained valid maintainer credentials, likely harvested from prior infostealer infections. They utilized these credentials to gain write access to trusted repositories, including LiteLLM and Checkmarx, bypassing traditional network defenses. Malicious credential-harvesting payloads were injected into the software and GitHub Actions workflows. Upon installation by downstream users, the malware silently executed, stealing cloud credentials, API keys, and secrets, which were then encrypted and exfiltrated to actor-controlled infrastructure like models.litellm.cloud.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries. It focuses on threat intelligence, actor attribution, and high-level mitigation strategies.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect the execution of anomalous child processes from development tools or unauthorized file reads during credential harvesting, but the initial supply chain compromise occurs outside the endpoint in cloud repositories. Network Visibility: Medium — Network monitoring can detect exfiltration to known malicious domains (e.g., models.litellm.cloud), but traffic might be encrypted or blend with legitimate API calls from development environments. Detection Difficulty: Hard — The attack uses valid credentials and trusted software distribution channels, making it difficult to distinguish malicious updates from legitimate developer activity without behavioral anomaly detection.
Required Log Sources
- GitHub Audit Logs
- CI/CD Pipeline Logs
- CloudTrail / Cloud Provider API Logs
- Process Execution Logs
- DNS Query Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusual outbound network connections from CI/CD runners or development environments to unknown or newly registered domains. | Network flows, DNS logs | Exfiltration | Medium |
| Monitor for unexpected modifications to GitHub Actions workflows or CI/CD pipeline configurations by users who do not typically manage them. | GitHub Audit Logs | Persistence/Execution | Low |
| Detect processes spawned by package managers (e.g., pip, npm) that attempt to read sensitive credential files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa). | EDR/Process creation, File access logs | Credential Access | Low |
Control Gaps
- Lack of continuous code integrity verification
- Incomplete credential rotation policies
- Implicit trust in third-party security tools and dependencies
Key Behavioral Indicators
- Anomalous code commits to trusted repositories
- Unexpected access to secrets management services by CI/CD tools
- Execution of credential-harvesting scripts during package installation
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Assume compromise and rotate all credentials on systems using LiteLLM, Trivy, or Checkmarx GitHub Actions.
- Audit software pipelines for unauthorized changes or poisoned workflows.
Infrastructure Hardening
- Pin software dependencies to verified, immutable versions.
- Implement continuous, automated, AI-augmented code integrity verification.
- Enforce strict identity and access management (IAM) policies with mandatory MFA for all repository access.
User Protection
- Monitor and revoke exposed developer credentials found in infostealer logs or dark web dumps.
Security Awareness
- Educate developers on the risks of infostealers and the critical importance of securing publishing tokens and access keys.
MITRE ATT&CK Mapping
- TA0002 - Execution
- T1005 - Data from Local System
- T1486 - Data Encrypted for Impact
- T1586 - Compromise Accounts
- T1555.003 - Credentials from Web Browsers
- T1056.001 - Keylogging
- T1119 - Automated Collection
- T1082 - System Information Discovery
- T1078 - Valid Accounts
- T1195.002 - Compromise Software Supply Chain
Additional IOCs
- Domains:
models[.]litellm[.]cloud- TeamPCP C2 domain
- Other:
@pcpcats- Threat actor social media handle22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w4- Truncated malicious infrastructure indicator