TeamPCP's Supply Chain Attacks Compromise Cloud-Native Security Tools

Introduction

In March 2026, the cybercriminal group known as TeamPCP executed a sophisticated supply chain attack targeting widely used cloud-native security tools. This campaign compromised several open-source projects, including Aqua Security's Trivy vulnerability scanner and Checkmarx's KICS static code analysis tool, leading to the theft of credentials and unauthorized access to numerous cloud environments.

Initial Compromise: Trivy and KICS

The attack began with TeamPCP exploiting a misconfigured GitHub Actions workflow in the Trivy repository. By leveraging a vulnerability in the pull_request_target trigger, the group gained unauthorized access and injected malicious code into Trivy's GitHub Actions and Docker images. This code executed credential-stealing malware during routine vulnerability scans, harvesting secrets from CI/CD pipelines. Similarly, Checkmarx's KICS tool was compromised, further expanding the attack's reach. These initial breaches allowed TeamPCP to collect a vast array of credentials, including API keys and SSH tokens.

Propagation to npm and PyPI Ecosystems

Utilizing the stolen credentials, TeamPCP extended their attack to the npm and PyPI ecosystems. They injected malicious preinstall scripts into several npm packages associated with SAP's Cloud Application Programming Model (CAP) and Cloud MTA Build Tool (MBT). These scripts executed upon installation, enabling further credential harvesting. Additionally, the group compromised the LiteLLM package on PyPI, a widely used library for AI/ML applications, by publishing malicious versions that executed credential-stealing code during package installation. This cascading effect significantly amplified the attack's impact across multiple development environments.

Exploitation of Cloud Environments

With a substantial collection of credentials, TeamPCP targeted cloud environments, particularly AWS and Azure. They employed tools like TruffleHog to validate the stolen credentials and initiated enumeration activities to identify accessible resources. The group conducted unauthorized access to various cloud services, including IAM roles, EC2 instances, Lambda functions, RDS databases, S3 buckets, and ECS clusters. Notably, they used conspicuous resource names such as "pawn" and "massive-exfil," indicating either operational recklessness or psychological intimidation tactics. This phase of the attack underscored the critical need for rapid response to compromised credentials to prevent unauthorized access and data exfiltration.

Novel Techniques and Persistence Mechanisms

TeamPCP introduced several novel techniques in this campaign. They utilized the Internet Computer Protocol (ICP) blockchain as a command-and-control (C2) infrastructure, making traditional domain-based takedown procedures ineffective. Additionally, they employed a self-propagating npm worm capable of infecting victim-maintained packages without human intervention. A notable persistence mechanism involved the use of Python .pth files, which execute automatically on any Python interpreter startup, ensuring the malicious code's execution even after package removal. These advanced tactics highlight the group's operational sophistication and the evolving nature of supply chain attacks.

Impact and Response

The repercussions of TeamPCP's campaign were extensive. Organizations using compromised versions of Trivy, KICS, LiteLLM, and affected npm packages faced significant risks, including unauthorized access to cloud environments, data breaches, and potential deployment of ransomware. The campaign's focus on cloud-native security tools and AI/ML development pipelines underscored the vulnerabilities inherent in widely trusted open-source projects. In response, security researchers and affected organizations initiated comprehensive incident response measures, including credential rotations, forensic audits, and enhanced monitoring of CI/CD pipelines and cloud environments.

Mitigation Strategies

To defend against similar supply chain attacks, organizations should implement several key strategies:

• Credential Management: Regularly rotate credentials and implement strict access controls to minimize the impact of potential compromises.
• Supply Chain Security: Conduct thorough security assessments of third-party tools and libraries, and monitor for unauthorized changes or anomalies.
• Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a security breach.
• Monitoring and Detection: Implement continuous monitoring of CI/CD pipelines and cloud environments to detect and respond to suspicious activities promptly.

By adopting these measures, organizations can enhance their resilience against supply chain attacks and protect their cloud-native infrastructures from emerging threats.

Conclusion

TeamPCP's March 2026 supply chain attack serves as a stark reminder of the vulnerabilities present in widely used open-source security tools and the critical importance of robust supply chain security practices. The group's sophisticated tactics, including the exploitation of trusted tools and the use of novel persistence mechanisms, highlight the evolving nature of cyber threats. Organizations must remain vigilant, continuously assess their security postures, and implement comprehensive strategies to mitigate the risks associated with supply chain attacks.

For further details on TeamPCP's activities and mitigation recommendations, refer to the following sources:

• SANS Institute: When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Campaign
• Dark Reading: TeamPCP Breaches Cloud, SaaS Instances With Stolen Credentials
• Ars Technica: Self-propagating malware poisons open source software and wipes Iran-based machines
• Cloud Security Alliance: TeamPCP: Cascading Supply Chain Attack on AI/ML Tooling
• SecurityWeek: TeamPCP Moves From OSS to AWS Environments